sign in sign up
<<
Home , Bank secrecy, Bank Secrecy Act, Call report, Money (The Office), Offshore bank, State bank

BANK SECRECY ACT, ANTI-, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 INTRODUCTION TO THE respectively, over the past several decades. Several of SECRECY ACT these acts include:

The Financial Recordkeeping and Reporting of Currency • Money Laundering Control Act of 1986, and Foreign Transactions Act of 1970 (31 U.S.C. 5311 et • Annuzio-Wylie Anti-Money Laundering Act of 1992, seq.) is referred to as the Act (BSA). The • Money Laundering Suppression Act of 1994, and purpose of the BSA is to require (U.S.) • Money Laundering and Financial Crimes Strategy Act financial institutions to maintain appropriate records and of 1998. file certain reports involving currency transactions and a ’s customer relationships. Currency Most recently, the Uniting and Strengthening America by Transaction Reports (CTRs) and Suspicious Activity Providing Appropriate Tools Required to Intercept and Reports (SARs) are the primary means used by to Obstruct Act (more commonly known as the satisfy the requirements of the BSA. The recordkeeping USA ) was swiftly enacted by Congress in regulations also include the requirement that a financial October 2001, primarily in response to the September 11, institution’s records be sufficient to enable transactions and 2001 terrorist attacks on the U.S. The USA PATRIOT Act activity in customer accounts to be reconstructed if established a host of new measures to prevent, detect, and necessary. In doing so, a paper and audit trail is prosecute those involved in money laundering and terrorist maintained. These records and reports have a high degree financing. of usefulness in criminal, , or regulatory investigations or proceedings. FINANCIAL CRIMES ENFORCEMENT The BSA consists of two parts: Title I Financial NETWORK REPORTING AND Recordkeeping and Title II Reports of Currency and RECORDKEEPING REQUIREMENTS Foreign Transactions. Title I authorizes the Secretary of the Department of the Treasury (Treasury) to issue regulations, which require insured financial institutions to Currency Transaction Reports maintain certain records. Title II directed the Treasury to and Exemptions prescribe regulations governing the reporting of certain transactions by and through financial institutions in excess U.S. financial institutions must file a CTR, Financial of $10,000 into, out of, and within the U.S. The Crimes Enforcement Network (FinCEN) Form 104 Treasury’s implementing regulations under the BSA, (formerly known as [IRS] Form issued within the provisions of 31 CFR Part 103, are 4789), for each currency transaction over $10,000. A included in the FDIC’s Rules and Regulations and on the currency transaction is any transaction involving the FDIC website. physical transfer of currency from one person to another and covers deposits, withdrawals, exchanges, or transfers The implementing regulations under the BSA were of currency or other payments. Currency is defined as originally intended to aid investigations into an array of currency and coin of the U.S. or any other country as long criminal activities, from evasion to money as it is customarily accepted as money in the country of laundering. In recent years, the reports and records issue. prescribed by the BSA have also been utilized as tools for investigating individuals suspected of engaging in illegal Multiple currency transactions shall be treated as a single drug and terrorist financing activities. Law enforcement transaction if the financial institution has knowledge that agencies have found CTRs to be extremely valuable in the transactions are by, or on behalf of, any person and tracking the huge amounts of cash generated by individuals result in either cash in or cash out totaling more than and entities for illicit purposes. SARs, used by financial $10,000 during any one business day. Transactions at all institutions to report identified or suspected illicit or branches of a financial institution should be aggregated unusual activities, are likewise extremely valuable to law when determining reportable multiple transactions. enforcement agencies. CTR Filing Requirements Several acts and regulations expanding and strengthening the scope and enforcement of the BSA, anti-money Customer and Transaction Information laundering (AML) measures, and counter-terrorist financing measures have been signed into law and issued, All CTRs required by 31 CFR 103.22 of the Financial Recordkeeping and Reporting of Currency and Foreign

DSC Risk Manual of Examination Policies 8.1-1 (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Transactions regulations must be filed with the IRS. transaction. PACS was launched in October 2002 and Financial institutions are required to provide all requested permits secure filing of CTRs over the Internet using information on the CTR, including the following for the encryption technology. Financial institutions can access person conducting the transaction: PACS after applying for and receiving a digital certificate.

• Name, Examiners reviewing filed CTRs should inquire with • Street address (a post office box number is not financial institution management regarding the manner in acceptable), which CTRs are filed before evaluating the timeliness of • Social security number (SSN) or taxpayer such filings. If for any reason a financial institution should identification number (TIN) (for non-U.S. residents), withdraw from the magnetic tape program or the PACS and program, or for any other reason file paper CTRs, those • Date of birth. CTRs must be filed within the standard 15 day period following the reportable transaction. The documentation used to verify the identity of the individual conducting the transaction should be specified. Exemptions from CTR Filing Requirements Signature cards may be relied upon; however, the specific documentation used to establish the person’s identity Certain “persons” who routinely use currency may be should be noted. A mere notation that the customer is eligible for exemption from CTR filings. Exemptions were “known to the financial institution” is insufficient. implemented to reduce the reporting burden and permit Additional requested information includes the following: more efficient use of the filed records. Financial institutions are not required to exempt customers, but are • Account number, encouraged to do so. There are two types of exemptions, • Social security number or taxpayer identification referred to as “Phase I” and “Phase II” exemptions. number of the person or entity for whose account the transaction is being conducted (should reflect all “Phase I” exemptions may be granted for the following account holders for joint accounts), and “exempt persons”:

• Amount and kind of transaction (transactions 2 involving foreign currency should identify the country • A bank , to the extent of its domestic operations; of origin and report the U.S. dollar equivalent of the • A Federal, State, or local government agency or foreign currency on the day of the transaction). department; • Any entity exercising governmental authority within The financial institution must provide a contact person, and the U.S. (U.S. includes District of Columbia, the CTR must be signed by the preparer and an approving Territories, and Indian tribal lands); official. Financial institutions can also file amendments on • Any listed entity other than a bank whose common previously filed CTRs by using a new CTR form and stock or analogous equity are listed on the checking the box that indicates an amendment. New York, American, or NASDAQ stock exchanges (with some exceptions); CTR Filing Deadlines • Any U.S. domestic subsidiary (other than a bank) of any “listed entity” that is organized under U.S. law and CTRs filed with the IRS are maintained in the FinCEN at least 51 percent of the subsidiary’s common stock is database, which is made available to Federal Banking owned by the listed entity. Agencies1 and law enforcement. Paper forms are to be filed within 15 days following the date of the reportable “Phase II” exemptions may be granted for the following: transaction. If CTRs are filed using magnetic media, pursuant to an agreement between a financial institution • A “non-listed business,” which includes commercial and the IRS, a financial institution must file a CTR within enterprises that do not have more than 50% of the 25 calendar days of the date of the reportable transaction. business gross revenues derived from certain ineligible A third option is to file CTRs using the Patriot Act businesses. Gross revenue has been interpreted to Communication System (PACS), which also allows up to reflect what a business actually earns from an activity 25 calendar days to file the CTR following the reportable conducted by the business, rather than the sales volume of such activity. “Non-listed businesses” must 1 Federal Banking Agencies consist of the Board (FRB), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), National Union Administration (NCUA), and 2 Bank is defined in The U.S. Department of the Treasury (Treasury) the FDIC. Regulation 31 CFR 103.11.

Bank Secrecy Act (12-04) 8.1-2 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 also be incorporated or organized under U.S. laws and • Pawn brokers; be eligible to do business in the U.S. and may only be • Businesses that charter ships, aircraft, or buses; exempted to the extent of its domestic operations. • Auction services; • A “payroll customer,” which includes any other person • Entities involved in gaming of any kind (excluding not covered under the “exempt person” definition that licensed para mutual betting at race tracks); operates a firm that regularly withdraws more than • Trade union activities; and $10,000 in order to pay its U.S. employees in • Any other activities as specified by FinCEN. currency. “Payroll customers” must also be incorporated and eligible to do business in the U.S. Additional Qualification Criteria for “Payroll customers” may only be exempted on their Phase II Exemptions withdrawals for payroll purposes from existing transaction accounts. Both “non-listed businesses” and “payroll customers” must meet the following additional criteria to be eligible for Commercial transaction accounts of sole proprietorships “Phase II” exemption: can qualify for “non-listed business” or “payroll customer” exemption. • The entity has maintained a with the financial institution for at least twelve consecutive Exemption of Franchisees months; • The entity engages in frequent currency transactions Franchisees of listed corporations (or of their subsidiaries) that exceed $10,000 (or in the case of a “payroll are not included within the definition of an “exempt customer,” regularly makes withdrawals of over person” under "Phase I" unless such franchisees are $10,000 to pay U.S. employees in currency); and independently exempt as listed corporations or listed • The entity is incorporated or organized under the laws corporation subsidiaries. For example, a local corporation of the U.S. or a state, or registered as, and eligible to that holds an ABC Corporation franchise is not a “Phase I” do business in the U.S. or state. “exempt person” simply because ABC Corporation is a listed corporation; however, it is possible that the local The financial institution may treat all of the customer’s corporation may qualify for “Phase II” exemption as a transaction accounts at that financial institution as a single “non-listed business,” assuming it meets all other account to qualify for exemption. There may be exemption qualification requirements. An ABC exceptions to this rule if certain accounts are exclusively Corporation outlet owned by ABC Corporation directly, on used for non-exempt portions of the business. (For the other hand, would be a “Phase I” “exempt person” example, a small grocery with services has a because ABC Corporation's common stock is listed on the separate account just for its wire business). New York Stock Exchange. Accounts of multiple businesses owned by the same Ineligible Businesses individual(s) are generally not eligible to be treated as a single account. However, it may be necessary to treat such There are several higher-risk businesses that may not be accounts as a single account if the financial institution has exempted from CTR filings. The nature of these evidence that the corporate veil has been pierced. Such businesses increases the likelihood that they can be used to evidence may include, but is not limited to: facilitate money laundering and other illicit activities. Ineligible businesses include: • Businesses are operated out of the same location

and/or utilize the same phone number; • Non-bank financial institutions or agents thereof (this • Businesses are operated by the same daily definition includes telegraph companies, and money management and/or board of directors; services businesses [currency exchange, check casher, • Cash deposits or other banking transactions are or issuer of monetary instruments in an amount greater completed by the same individual at the same time for than $1,000 to any person in one day]); the different businesses; • Purchasers or sellers of motor vehicles, vessels, • Funds are frequently intermingled between accounts or aircraft, farm equipment, or mobile homes; there are unexplained transfers from one account to the • Those engaged in the practice of law, medicine, or other; or accountancy; • Business activities of the entities cannot be • Investment advisors or investment bankers; differentiated. • Real estate brokerage, closing, or title insurance firms;

DSC Risk Management Manual of Examination Policies 8.1-3 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 More than one of these factors must typically be present in an “exempt person” as an agent for another person, who is order to provide sufficient evidence that the corporate veil the beneficial owner of the funds involved in a transaction has been pierced. in currency can not be exempted.

Transactions conducted by an “exempt person” as agent or Exemption forms for “Phase I” persons need to be filed on behalf of another person are not eligible to be exempted only once. A financial institution that wants to exempt based on being transacted by an “exempt person.” another financial institution from which it buys or sells currency must be designated exempt by the close of the 30 Exemption Qualification Documentation Requirements day period beginning after the day of the first reportable transaction in currency with the other financial institution. Decisions to exempt any entity should be based on the Federal Reserve Banks are excluded from this requirement. financial institution taking reasonable and prudent steps to document the identification of the entity. The specific Exemption forms for “Phase II” persons need to be methodology for performing this assessment is largely at renewed and filed every two years, assuming that the the financial institution’s discretion; however, results of the “exempt person” continues to meet all exemption criteria, review must be documented. For example, it is acceptable as verified and documented in the required annual review to document that a stock is listed on a stock market by process discussed above. The filing must be made by relying on a listing of exchange stock published in a March 15th of the second calendar year following the year newspaper or by using publicly available information in which the initial exemption was granted, and by every through the Securities and Exchange Commission (SEC). other March 15th thereafter. When filing a biennial To document the subsidiary of a listed entity, a financial renewal of the exemption for these customers, the financial institution may rely on authenticated corporate officer’s institution will need to indicate any change in ownership of certificates or annual reports filed with the SEC. Annually, the business. Initial exemption of a “non-listed business” management should also ensure that “Phase I” exempt or “payroll customer” must be made within 30 days after persons remain eligible for exemption (for example, the day of the first reportable transaction in currency that entities remain listed on National exchanges.) the financial institution wishes to include under the exemption. Form TD F 90-22.53 can be also used to For “non-listed businesses” and “payroll customers,” the revoke or amend an exemption. financial institution will need to document that the entity meets the qualifying criteria both at the time of the initial CTR Backfiling exemption and annually thereafter. To perform the annual reviews, the financial institution can verify and update the Examiners may determine that a financial institution has information that it has in its files to document continued failed to file CTRs in accordance with 31 CFR 103, or has eligibility for exemption. The financial institution must improperly exempted customers from CTR filings. In also indicate that it has a system for monitoring the situations where an institution has failed to file a number of transactions in the account for suspicious activity as it CTRs on reportable transactions for any reason, examiners continues to be obligated to file Suspicious Activity should instruct management to promptly contact the IRS Reports on activities of “exempt persons,” when Detroit Computing Center (IRS DCC), Compliance appropriate. SARs are discussed in detail within the Review Group for instructions and guidance concerning “Suspicious Activity Reporting” section of this chapter. the possible requirement to backfile CTRs for those affected transactions. The IRS DCC will provide an initial Designation of Exempt Person Filings and Renewals determination on whether CTRs should be backfiled in those cases. Cases that involve substantial noncompliance Both “Phase I” and “Phase II” exemptions are filed with with CTR filing requirements are referred to FinCEN for FinCEN using Form TD F 90-22.53 - Designation of review. Upon review, FinCEN may correspond directly Exempt Person. This form is available on the Internet at with the institution to discuss the program deficiencies that FinCEN’s website. The designation must be made resulted in the institution’s failure to appropriately file a separately by each financial institution that treats the CTR and the corrective action that management has person in question as an exempt customer. This implemented to prevent further infractions. designation requirement applies whether or not the designee has previously been treated as exempt from the When a backfiling request is necessary, examiners should CTR reporting requirements within 31 CFR 103. Again, direct financial institutions to write a letter to the IRS at the the exemption applies only to transactions involving the IRS Detroit Computing Center, Compliance Review Group “exempt person's” own funds. A transaction carried out by Attn: Backfiling, P.O. Box 32063, Detroit, Michigan,

Bank Secrecy Act (12-04) 8.1-4 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 48232-0063 that explains why CTRs were not filed. For financial institutions with a large volume of records, Examiners should also provide the financial institution a three months or less may be more appropriate. copy of the “Check List for CTR Filing Determination” form available on the FDIC’s website. The financial Since variations in spellings of an individual’s name are institution will need to complete this form and include it possible, accuracy of the TIN/SSN is essential in ensuring with the letter to the IRS. accuracy of the information received from the FinCEN database. To this end, examiners should also identify any Once an institution has been instructed to contact IRS DCC situations where a financial institution is using more than for a backfiling determination, examiners should notify one tax identification number to file their CTRs and/or both their Regional Special Activities Case Manager SARs. To reduce the possibility of error in communicating (SACM) or other designees and the Special Activities CTR and SAR information/verification requests, examiners Section (SAS) in Washington, D.C. Specific contacts are are requested to e-mail or fax the request to their Regional listed on the FDIC’s Intranet website. Requisite SACM or other designee. information should be forwarded electronically via e-mail to these contacts. Other FinCEN Reports

Currency and Banking Retrieval System Report of International Transportation of Currency or Monetary Instruments The Currency and Banking Retrieval System (CBRS) is a database of CTRs, SARs, and CTR Exemptions filed with Treasury regulation 31 CFR 103.23 requires the filing of the IRS. It is maintained at the IRS Detroit Computing FinCEN Form 105, formerly Form 4790, to comply with Center. The SAS, as well as each Region’s SACM and other Treasury regulations and U.S. Customs disclosure other designees, has on-line access to the CBRS. Refer to requirements involving physical transport, mailing or your Regional Office for a full listing of those individuals shipping of currency or monetary instruments greater than with access to the FinCEN database. $10,000 at one time out of or into the U.S. The report is to be completed by or on behalf of the person requesting the Examiners should routinely receive volume and trend transfer of the funds and filed within 15 days. However, information on CTRs and SARs from their Regional financial institutions are not required to report these items SACM or other designees for each examination or if they are mailed or shipped through the postal service or visitation prior to the pre-planning process. In addition, by common carrier. Also excluded from reporting are the database information may be used to verify CTR, SAR those items that are shipped to or received from the and/or CTR Exemption filings. Detailed FinCEN database account of an established customer who maintains a information may be used for expanded BSA reviews or in deposit relationship with the bank, provided the item any unusual circumstances where examiners suspect certain amounts are commensurate with the customary conduct of forms have not been filed by the financial institution, or business of the customer concerned. where suspicious activity by individuals has been detected. In situations where the quantity, dollar volume, and Examiners should provide all of the following items they frequency of the currency and/or monetary instruments are have available for each search request: not commensurate with the customary conduct of the customer, financial institution management will need to • The name of the subject of (financial conduct further documented research on the customer’s institution and/or individual/entity); transactions and determine whether a SAR should be filed • The subject's nine-digit TIN/SSN (in Part III of the with FinCEN. Please refer to the discussion on “Customer CTR form if seeking information on the financial Due Diligence” and “Suspicious Activity Reporting” institution and/or Part I of the CTR form if seeking within this chapter for detailed guidance. information on the individual/entity); and • The date range for which the information is requested. Reports of Foreign Bank Accounts

When requesting a download or listing of CTR and SAR Within 31 CFR 103.24, the Treasury requires each person information, examiners should take into consideration the who has a financial in or signature authority, or volume of CTRs and SARs filed by the financial institution other authority over any financial accounts, including bank, under examination when determining the date range securities, or other types of financial accounts, maintained requested. Except under unusual circumstances, the date in a foreign country to report those relationships to the IRS range for full listings should be no greater than one year. annually if the aggregate value of the accounts exceeds

DSC Risk Management Manual of Examination Policies 8.1-5 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 $10,000 at any point during the calendar year. The report If the purchaser does not have a at the should be filed by June 30 of the succeeding calendar year, financial institution, the following additional information using Form TD F 90-22.1 available on the FinCEN must be obtained: website. By definition, a foreign country includes all locations outside the United States, Guam, Puerto Rico, the • Address of the purchaser (a post office box number is Virgin Islands, the Northern Mariana Islands, American not acceptable); Samoa, and Trust Territory of the Pacific Islands. U.S. • Social security number (or alien identification number) military banking facilities are excluded. Foreign assets of the purchaser; including securities issued by foreign corporations that are • Date of birth of the purchaser; and held directly by a U.S. person, or through an account • Verification of the name and address with an maintained with a U.S. office of a bank or other institution acceptable document (i.e. driver’s license). are not subject to the BSA foreign account reporting requirements. The bank is also not required to report The regulation requires that multiple purchases during one international interbank transfer accounts (“nostro business day be aggregated and treated as one purchase. accounts”) held by domestic banks. Also excluded are Purchases of different types of instruments at the same time accounts held in a foreign financial institution in the name are treated as one purchase and the amounts should be of, or on behalf of, a particular customer of the financial aggregated to determine if the total is $3,000 or more. In institution, or that are used solely for the transactions of a addition, the financial institution should have procedures in particular customer. Finally, an officer or employee of a place to identify multiple purchases of monetary federally-insured depository institution branch, or agency instruments during one business day, and to aggregate this office within the U.S. of a foreign bank that is subject to information from all of the bank branch offices. the supervision of a Federal bank regulatory agency need not report that he or she has signature or other authority If a customer first deposits the cash in a , then over a foreign bank, securities or other financial account purchases a monetary instrument(s), the transaction is still maintained by such entities unless he or she has a personal subject to this regulatory requirement. The financial financial interest in the account. institution is not required to maintain a log for these transactions, but should have procedures in place to FinCEN Recordkeeping Requirements recreate the transactions.

Required Records for Sales of Monetary Instruments The information required to be obtained under 31 CFR for Cash 103.29 must be retained for a period of five years.

Treasury regulation 31 CFR 103.29 prohibits financial Funds Transfer and Travel Rule Requirements institutions from issuing or selling monetary instruments purchased with cash in amounts of $3,000 to $10,000, Treasury regulation 31 CFR Section 103.33 prescribes inclusive, unless it obtains and records certain identifying information that must be obtained for funds transfers in the information on the purchaser and specific transaction amount of $3,000 or more. There is a detailed discussion information. Monetary instruments include bank checks, of the recordkeeping requirements and risks associated bank drafts, cashier’s checks, money orders, and traveler’s with wire transfers within the “Banking Services and checks. Furthermore, the identifying information of all Activities with Greater Potential for Money Laundering purchasers must be verified. The following information and Terrorist Financing Vulnerabilities” discussion within must be obtained from a purchaser who has a deposit this chapter. account at the financial institution: Records to be Made and Retained by Financial • Purchaser’s name; Institutions • Date of purchase; • Type(s) of instrument(s) purchased; Treasury regulation 31 CFR 103.33 states that each • Serial number(s) of each of the instrument(s) financial institution must retain either the original or a purchased; and microfilm or other copy/reproduction of each of the • Amounts in dollars of each of the instrument(s) following: purchased. • A record of each extension of credit in an amount in excess of $10,000, except an extension of credit secured by an interest in real property. The record

Bank Secrecy Act (12-04) 8.1-6 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 must contain the name and address of the borrower, document. If no record is made in the ordinary course of the amount, the nature or purpose of the loan, and business of any transaction with respect to which records the date the loan was made. The stated purpose can be are required to be retained, then such a record shall be very general such as a passbook loan, personal loan, or prepared in writing by the financial institution. business loan. However, financial institutions should be encouraged to be as specific as possible when stating the loan purpose. Additionally, the purpose of CUSTOMER IDENTIFICATION a renewal, refinancing, or consolidation is not required PROGRAM as long as the original purpose has not changed and the original statement of purpose is retained for a Section 326 of the USA PATRIOT Act, which is period of five years after the renewal, refinancing or implemented by 31 CFR 103.121, requires banks, savings consolidation has been paid out. associations, credit unions, and certain non-federally • A record of each advice, request, or instruction regulated banks to implement a written Customer received or given regarding any transaction resulting Identification Program (CIP) appropriate for its size and in the transfer of currency or other monetary type of business. For Section 326, the definition of instruments, funds, checks, investment securities, or financial institution encompasses a variety of entities, credit, of more than $10,000 to or from any person, including banks, agencies and branches of foreign banks in account, or place outside the U.S. This requirement the U.S., thrifts, credit unions, private banks, trust also applies to transactions later canceled if such a companies, investment companies, brokers and dealers in record is normally made. securities, futures commission merchants, insurance companies, travel agents, pawnbrokers, dealers in precious Required Records for Deposit Accounts metals, check cashers, casinos, and telegraph companies, among many others identified at 31 USC 5312(a)(2) and Treasury regulation 31 CFR 103.34 requires banking (c)(1)(A). As of October 1, 2003, all institutions and their institutions to obtain and retain a social security number or operating subsidiaries must have in place a CIP pursuant to taxpayer identification number for each deposit account Treasury regulation 31 CFR 103.121. opened after June 30, 1972, and before October 1, 2003. The same information must be obtained for each certificate The CIP rules do not apply to a financial institution’s of deposit sold or redeemed after May 31, 1978, and foreign subsidiaries. However, financial institutions are before October 1, 2003. The banking institution must encouraged to implement an effective CIP throughout their make a reasonable effort to obtain the identification operations, including their foreign offices, except to the number within 30 days after opening the account, but will extent that the requirements of the rule would conflict with not be held in violation of the regulation if it maintains a local law. list of the names, addresses, and account numbers of those customers from whom it has been unable to secure an identification number. Where a person is a nonresident Applicability of CIP Regulation alien, the banking institution shall also record the person's passport number or a description of some other The CIP rules apply to banks, as defined in 31 CFR government document used to verify his/her identity. 103.11 that are subject to regulation by a Federal Banking Agency and to any non-Federally-insured , Furthermore, 31 CFR 103.34 generally requires banks to or trust company that does not have a Federal maintain records of items needed to reconstruct transaction functional regulator. Entities that are regulated by the U.S. accounts and other receipts or remittances of funds through Securities and Exchange Commission (SEC) and the a bank. Specific details of these requirements are in the Commodity Futures Trading Commission (CFTC) are regulation. subject to separate rulemakings. It is intended that the effect of all of these rules be uniform throughout the Record Retention Period and Nature of Records industry.

All records required by the regulation shall be retained for CIP Requirements five years. Records may be kept in paper or electronic form. Microfilm, microfiche or other commonly accepted 31 CFR 103.121 requires a bank to develop and forms of records are acceptable as long as they are implement a written, board-approved CIP, appropriate for accessible within a reasonable period of time. The record its size and type of business that includes, at a minimum, should be able to show both the front and back of each procedures for:

DSC Risk Management Manual of Examination Policies 8.1-7 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 definitions are provided for the terms person, customer, • Verifying a customer’s true identity to the extent and account. Both bank management and examiners must reasonable and practicable and defining the properly understand these terms in order to effectively methodologies to be used in the verification process; implement and assess compliance with CIP regulations, • Collecting specific identifying information from each respectively. customer when opening an account; • Responding to circumstances and defining actions to Person be taken when a customer’s true identity cannot be appropriately verified with “reasonable belief;” A person is generally an individual or other legal entity • Maintaining appropriate records during the collection (such as registered corporations, partnerships, and trusts). and verification of a customer’s identity; • Verifying a customer’s name against specified terrorist Customer lists; and • Providing customers with adequate notice that the A customer is generally defined as any of the following: bank is requesting identification to verify their identities. • A person that opens a new account (account is defined further within the discussion of CIP While not required, a bank may also include procedures definitions); 3 for: • An individual acting with “power of attorney”(POA) who opens a new account to be owned by or for the • Specifying when it will rely on another financial benefit of a person lacking legal capacity, such as a institution (including an affiliate) to perform some or minor; all of the elements of the CIP. • An individual who opens an account for an entity that is not a legal person, such as a civic club or sports Additionally, 31 CFR 103.121 provides that a bank with a boosters; Federal functional regulator must formally incorporate its • An individual added to an existing account or one CIP into its written board-approved anti-money laundering who assumes an existing debt at the bank; or program. The FDIC expanded Section 326.8 of its Rules • A deposit broker who brings new customers to the and Regulations to require each FDIC-supervised bank (as discussed in detail later within this section). institution to implement a CIP that complies with 31 CFR 103.121 and incorporate such CIP into a bank’s written The definition of customer excludes: board-approved BSA compliance program (with evidence of such approval noted in the board meeting minutes). • A financial institution regulated by a Federal Banking Consequently, a bank must specifically provide: Agency or a bank regulated by a regulator4; • A department or agency of the U.S. Government, of • Internal policies, procedures, and controls; any state, or of any political subdivision of any state; • Designation of a compliance officer; • Any entity established under the laws of the U.S., of • Ongoing employee training programs; and any state, or of any political subdivision of any state, • An independent audit function to test program. or under an interstate compact between two or more states, that exercises governmental authority on behalf The slight difference in wording between the Treasury’s of the U.S. or any such state or political subdivision and FDIC’s regulations regarding incorporation of a bank’s (U.S. includes District of Columbia and Indian tribal CIP within its anti-money laundering program and BSA lands and governments); or compliance program, respectively, was not intended to create duplicative requirements. Therefore, an FDIC- regulated bank must include its CIP within its anti-money 3 If a POA individual opens an account for another individual with legal laundering program and the latter included under the capacity or for a legal entity, then the customer is still the account “umbrella” of its overall BSA/AML program. holder. In this case, the POA is an agent acting on behalf of the person that opens the account and the CIP must still cover the account holder CIP Definitions (unless the person lacks legal capacity).

4 As discussed above, both Section 326 of the USA The IRS is not a Federal functional regulator. Consequently, money PATRIOT Act and 31 CFR 103.121 specifically define the service businesses, such as check cashers and wire transmitters that are regulated by the IRS are not exempted from the definition of customer for terms financial institution and bank. Similarly, specific CIP purposes.

Bank Secrecy Act (12-04) 8.1-8 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Any entity, other than a bank, whose common stock or • Cash management, custodian, and trust services; or analogous equity interests are listed on the New York • Any other type of formal, ongoing banking or American Stock Exchanges or whose common relationship. stock or analogous equity interests have been designated as a NASDAQ National Market Security The definition of account specifically excludes the listed on the NASDAQ Stock Market (except stock or following: interests listed under the separate "NASDAQ Small- Cap Issues" heading). A listed company is exempted • Product or service where a formal banking relationship from the definition of customer only for its domestic is NOT established with a person. Thus CIP is not operations. intended for infrequent transactions and activities (already covered under other recordkeeping The definition of customer also excludes a person who requirements within 31 CFR 103) such as: has an existing account with a bank, provided that the bank o Check cashing, has a “reasonable belief” that it knows the true identity of o Wire transfers, the person. So, if the person were to open an additional o Sales of checks, account, or renew or roll over an existing account, CIP o Sales of money orders; procedures would not be required. A bank can • Accounts acquired through an acquisition, merger, demonstrate that is has a “reasonable belief” that it knows purchase of assets, or assumption of liabilities (as the identity of an existing customer by: these “new” accounts were not initiated by customers);5 and • Demonstrating that it had similar procedures in place • Accounts opened for the purpose of participating in an to verify the identity of persons prior to the effective employee benefit plan established under the Employee date of the CIP rule. (An “affidavit of identity” by a Retirement Income Security Act of 1974 (ERISA). bank officer is not acceptable for demonstrating “reasonable belief.”) Furthermore, the CIP requirements do not apply to a • Providing a history of account statements sent to the person who does not receive banking services, such as a person. person who applies for a loan but has his/her application • Maintaining account information sent to the IRS denied. The account in this circumstance is only opened regarding the person’s accounts accompanied by IRS when the bank enters into an enforceable agreement to replies that contain no negative comments. provide a loan to the person (who therefore also • Providing evidence of made and repaid, or other simultaneously becomes a customer). services performed for the person over a period of time. Collecting Required Customer Identifying Information

These actions may not be sufficient for existing account The CIP must contain account opening procedures that holders deemed to be high risk. For example, in the specify the identifying information obtained from each situation of an import/export business where the identifying customer prior to opening the account. The minimum information on file only includes a number from a passport required information includes: marked as a duplicate with no additional business information on file, the bank should follow all of the CIP • Name. requirements provided in 31 CFR 103.121 since it does not • Date of birth, for an individual. have sufficient information to show a “reasonable belief” of the true identity of the existing account holder.

Account 5 Accounts acquired by purchase of assets from a third party are excluded from the CIP regulations, provided the purchase was not made An account is defined as a formal, ongoing banking under an agency in place or exclusive sale arrangement, where the bank relationship established to provide or engage in services, has final approval of the credit. If under an agency arrangement, the dealings, or other financial transactions including: bank may rely on the agent third party to perform the bank’s CIP, but it must ensure that the agent is performing the bank’s CIP program. For example, a pool of auto loans purchased from an auto dealer after the • Deposit accounts; loans have already been made would not be subject to the CIP • Transaction or asset accounts ; regulations. However, if the bank is directly extending credit to the Credit accounts, or any other extension of credit; borrower and is using the car dealer as its agent to gather information, • then the bank must ensure that the dealer is performing the bank’s CIP. • Safety deposit box or other safekeeping services;

DSC Risk Management Manual of Examination Policies 8.1-9 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Physical address6, which shall be: customer prior to opening an account in the case of credit o for an individual, a residential or business card accounts. A bank may obtain identifying information street address (An individual who does not (such as TIN) from a third-party source prior to extending have a physical address may provide an Army credit to the customer. Post Office [APO] or a Fleet Post Office [FPO] box number, or the residential or Verifying Customer Identity Information business street address of next of kin or of another contact individual. Using the box The CIP should rely on a risk-focused approach when number on a rural route is acceptable developing procedures for verifying the identity of each description of the physical location customer to the extent reasonable and practicable. A bank requirement.) need not establish the accuracy of every element of o for a person other than an individual (such as identifying information obtained in the account opening corporations, partnerships, and trusts), a process, but must do so for enough information to form a principal place of business, local office, or “reasonable belief” that it knows the true identity of each other physical location. customer. At a minimum, the risk-focused procedures • Identification number including a SSN, TIN, must be based on, but not limited to, the following factors: Individual Tax Identification Number (ITIN), or Employer Identification Number (EIN). • Risks presented by the various types of accounts offered by the bank; For non-U.S. persons, the bank must obtain one or more of • Various methods of opening accounts provided by the the following identification numbers: bank; • Various sources and types of identifying information • Customer’s TIN, available; and • Passport number and country of issuance, • The bank’s size, location, and customer base. • Alien identification card number, and • Number and country of issuance of any other (foreign) Furthermore, a bank’s CIP procedures must describe when government-issued document evidencing nationality or the bank will use documentary verification methods, residence and bearing a photograph or similar non-documentary verification methods, or a safeguard. combination of both methods.

When opening an account for a foreign business or Documentary Verification enterprise that does not have an identification number, the bank must request alternative government-issued The CIP must contain procedures that set forth the specific documentation certifying the existence of the business or documents that the bank will use. For an individual, the enterprise. documents may include:

Exceptions to Required Customer Identifying • Unexpired government-issued identification Information evidencing nationality or residence, and bearing a photograph or similar safeguard, such as a driver’s The bank may develop, include, and follow CIP procedures license or passport. for a customer who at the time of account opening, has applied for, but has not yet received, a TIN. However, the For a person other than an individual (such as a CIP must include procedures to confirm that the corporation, partnership, or trust), the documents may application was filed before the customer opens the include: account and procedures to obtain the TIN within a reasonable period of time after the account is opened. • Documents showing the existence of the entity, such as certified articles of incorporation, a government-issued There is also an exception to the requirement that a bank business license, a partnership agreement, trust obtain the above-listed identifying information from the instrument, a certificate of good standing, or a business resolution. 6 The bank MUST obtain a physical address: a P.O. Box alone is NOT acceptable. Collection of a P.O. Box address and/or alternate mailing Non-Documentary Verification address is optional and potentially very useful as part of the bank’s Customer Due Diligence (CDD) program.

Bank Secrecy Act (12-04) 8.1-10 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Banks are not required to use non-documentary methods to beneficiaries, principals, and guarantors. As previously verify a customer’s identity. However, if a bank chooses to stated, a risk-focused approach should be applied to verify do so, a description of the approved non-documentary customer accounts. For example, in the case of a well- methods must be incorporated in the CIP. Such methods known firm, company information and verification could may include: be sufficient without obtaining and verifying identity information for all signatories. However, in the case of a • Contacting the customer, relatively new or unknown firm, it would be in the bank’s • Checking references with other financial institution, best interest to obtain and verify a greater volume of • Obtaining a financial statement, and information on signatories and other individuals with • Independently verifying the customer’s identity control or authority over the firm’s account. through the comparison of information provided by the customer with information obtained from Inability to Verify Customer Identity Information consumer reporting agencies (for example, Experian, Equifax, TransUnion, Chexsystems), public databases The CIP must include procedures for responding to (for example, Lexis, Dunn and Bradstreet), or other circumstances in which the bank cannot form a reasonable sources (for example, utility bills, phone books, voter belief that it knows the true identity of a customer. These registration bills). procedures should describe, at a minimum, the following:

The bank’s non-documentary procedures must address • Circumstances when the bank should not open an situations such as: account; • The terms or limits under which a customer may use • The inability of a customer to present an unexpired an account while the bank attempts to verify the government-issued identification document that bears customer’s identity (for example, minimal or no a photograph or similar safeguard; funding on credit cards, holds on deposits, limits on • Unfamiliarity on the bank’s part with the documents wire transfers); presented; • Situations when an account should be closed after • Accounts opened without obtaining documents; attempts to verify a customer’s identity have failed; • Accounts opened without the customer appearing in and person at the bank (for example, accounts opened • Conditions for filing a SAR in accordance with through the mail or over the Internet); and applicable laws and regulations. • Circumstances increasing the risk that the bank will be unable to verify the true identity of a customer through Recordkeeping Requirements documents. The bank’s CIP must include recordkeeping procedures Many of the risks presented by these situations can be for: mitigated. A bank that accepts items that are considered secondary forms of identification, such as utility bills and • Any document that was relied upon to verify identity college ID cards, is encouraged to review more than a noting the type of document, the identification single document to ensure that it has formed a “reasonable number, the place of issuance, and, if any, the dates of belief” of the customer’s true identity. Furthermore, in issuance and expiration; instances when an account is opened over the Internet, a • The method and results of any measures undertaken to bank may be able to obtain an electronic credential, such as perform non-documentary verification procedures; and a digital certificate, as one of the methods it uses to verify a • The results of any substantive discrepancy discovered customer’s identity. when verifying the identifying information obtained.

Additional Verification Procedures for Customers Banks are not required to make and retain photocopies of (Non-Individuals) any documents used in the verification process. However, if a bank does choose to do so, it must ensure that these The CIP must address situations where, based on a risk photocopies are physically secured to adequately protect assessment of a new account that is opened by a customer against possible . In addition, such that is not an individual, the bank will obtain information photocopies should not be maintained with files and about individuals with authority or control over such documentation relating to credit decisions in order to avoid accounts, in order to verify the customer’s identity. These any potential problems with consumer compliance individuals could include such parties as signatories, regulations.

DSC Risk Management Manual of Examination Policies 8.1-11 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 owners; however, this may be accomplished by providing Required Retention Period notice to one owner for delivery to the other owners.

All required customer identifying information obtained in Reliance on Another Financial Institution’s CIP the account opening process must be retained for five years after the account is closed, or in the case of A bank may develop and implement procedures for relying accounts, five years after the account is closed or becomes on another financial institution for the performance of CIP dormant. The other “required records” (descriptions of procedures, yet the CIPs at both entities do not have to be documentary and non-documentary verification procedures identical. The reliance can be used with respect to any and any descriptions of substantive discrepancy resolution) bank customer that is opening or has opened an account or must be retained for five years after the record is made. If similar formal relationship with the relied-upon financial several accounts are opened at a bank for a customer institution. Additionally, the following requirements must simultaneously, all of the required customer identifying be met: information obtained in the account opening process must be retained for five years after the last account is closed, or • Reliance is reasonable, under the circumstances; in the case of credit card accounts, five years after the last • The relied-upon financial institution (including an account is closed or becomes dormant. As in the case of a affiliate) is subject to the same anti-money laundering single account, all other “required records” must be kept program requirements as a bank, and is regulated by a for five years after the records are made. Federal functional regulator (as previously defined); and Comparison with Government Lists of Known or • A signed contract exists between the two entities that Suspected Terrorists requires the relied-upon financial institution to certify annually that it has implemented its anti-money The CIP must include procedures for determining whether laundering program, and that it will perform (or its the customer appears on any list of known or suspected agent will perform) the specified requirements of the terrorists or terrorist organizations issued by any Federal bank’s CIP. government agency and designated as such by the Treasury in consultation with the other Federal functional regulators. To strengthen such an arrangement, the signed contract should include a provision permitting the bank to have The comparison procedures must be performed and a access to the relied-upon institution’s annual independent determination made within a reasonable period of time review of its CIP. after the account is opened, or earlier, as required and directed by the issuing agency. Since the USA PATRIOT Deposit Broker Activity Act Section 314(a) Requests, discussed in detail under the heading entitled “Special Information Sharing Procedures The use of deposit brokers is a common funding to Deter Money Laundering and Terrorist Activities,” are mechanism for many financial institutions. This activity is one-time only searches, they are not applicable to the CIP. considered higher risk because each deposit broker operates under its own operating guidelines to bring Adequate Customer Notice customers to a bank. Consequently, the deposit broker may not be performing sufficient Customer Due Diligence The CIP must include procedures for providing customers (CDD), Office of Foreign Assets Control (OFAC) with adequate notice that the bank is requesting screening (refer to the detailed OFAC discussion provided information to verify their identities. This notice must elsewhere within this chapter), or CIP procedures. The indicate that the institution is collecting, verifying, and bank accepting brokered deposits relies upon the deposit recording the customer identity information as outlined in broker to have sufficiently performed all required account the CIP regulations. Furthermore, the customer notice opening procedures and to have followed all BSA and must be provided prior to account opening, with the AML program requirements. general belief that it will be clearly read and understood. This notice may be posted on a lobby sign, included on the Deposit Broker is Customer bank’s website, provided orally, or disclosed in writing (for example, account application or separate disclosure form). Regulations contained in 31 CFR 103.121 specifically The regulation provides sample language that may be used defines the term customer as a person (individual, for providing adequate customer notice. In the case of registered corporation, partnership, or trust). Therefore, joint accounts, the notice must be provided to all joint according to this definition, if a deposit broker opens an

Bank Secrecy Act (12-04) 8.1-12 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 account(s), the customer is the deposit broker NOT the Banks doing business with deposit brokers are encouraged deposit broker’s clients. to include contractual requirements for the deposit broker to establish and conduct procedures for minimum CIP, Deposit Broker’s CIP CDD, and OFAC screening.

Deposit brokers must follow their own CIP requirements Finally, the bank should monitor brokered deposit activity for their customers. If the deposit broker is registered with for unusual activity, including cash transactions, the SEC, then it is required to follow the same general CIP , and funds transfer activity. Monitoring requirements as banking institutions and is periodically procedures should identify any “red flags” suggesting that examined by the SEC for compliance. However, if the the deposit broker’s customers (the ultimate customers) are deposit broker does not come under the SEC’s jurisdiction, trying to conceal their true identities and/or their source of they may not be following any due diligence laws or wealth and funds. guidelines. Additional Guidance on CIP Regulations As such, banks accepting deposit broker accounts should establish policies and procedures regarding the brokered Comprehensive guidance regarding CIP regulations and deposits. Policies should establish minimum due diligence related examination procedures can be found within FDIC procedures for all deposit brokers providing business to the FIL 90-2004, Guidance on Customer Identification bank. The level of due diligence a bank performs should Programs. On January 9, 2004, the Treasury, FinCEN, and be commensurate with its knowledge of the deposit broker the Federal Financial Institutions Examination Council and the broker’s known business practices. (FFIEC) regulatory agencies issued joint interpretive guidance addressing frequently asked questions (FAQs) Banks should conduct enhanced due diligence on relating to CIP requirements in FIL-4-2004. Additional unknown and/or unregulated deposit brokers. For information regarding CIP can be found on the FinCEN protection, the bank should determine that the: website.

• Deposit broker is legitimate; • Deposit broker is following appropriate guidance SPECIAL INFORMATION SHARING and/or regulations; PROCEDURES TO DETER MONEY • Deposit broker’s policies and procedures are sufficient; LAUNDERING AND TERRORIST • Deposit broker has adequate CIP verification ACTIVITIES procedures; • Deposit broker screens clients for OFAC matches; Section 314 of the USA PATRIOT Act covers special • BSA/OFAC audit reviews are adequate and show information sharing procedures to deter money laundering compliance with requirements; and and terrorist activities. These are the only two categories • Bank management is aware of the deposit broker’s that apply under Section 314 information sharing; no anticipated volume and transaction type. information concerning other suspicious or criminal activities can be shared under the provisions of Section 314 Special care should be taken with deposit brokers who: of the USA PATRIOT Act. Final regulations of the following two rules issued on March 4, 2002, became • Are previously unknown to the bank; effective on September 26, 2002: • Conduct business or obtain deposits primarily in another country; • Section 314(a), codified into 31 CFR 103.100, • Use unknown or hard-to-contact businesses and banks requires mandatory information sharing between the for references; U.S. Government (FinCEN, Federal law enforcement • Provide other services which may be suspect, such as agencies, and Federal Banking Agencies) and financial creating shell corporations for foreign clients; institutions. • Advertise their own deposit rates, which vary widely • Section 314(b), codified into 31 CFR 103.110, from those offered by banking institutions; and encourages voluntary information sharing between • Refuse to provide requested due diligence information financial institutions and/or associations of financial or use methods to get deposits placed before providing institutions. information.

DSC Risk Management Manual of Examination Policies 8.1-13 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Section 314(a) – Mandatory Information Sharing Between the U.S. Government and • Deposit account records; Financial Institutions • Funds transfer records; • Sales of monetary instruments (purchaser only);

A Federal law enforcement agency investigating terrorist • Loan records; activity or money laundering may request that FinCEN • Trust department records; solicit, on its behalf, certain information from a financial • Securities records (purchases, sales, safekeeping, etc.); institution or a group of financial institutions on certain • Commodities, options, and derivatives; and individuals or entities. The law enforcement agency must • Safe deposit box records (but only if searchable provide a written certification to FinCEN attesting that electronically). credible evidence of money laundering or terrorist activity exists. It must also provide specific identifiers such as date According to the general instructions to Section 314(a), of birth, address, and social security number of the financial institutions are NOT required to research the individual(s) under investigation that would permit a following documents for matches: financial institution to differentiate among customers with common or similar names. • Checks processed through an account for a payee, • Monetary instruments for a payee, Section 314(a) Requests • Signature cards, and • CTRs and SARs previously filed. Upon receiving an adequate written certification from a law enforcement agency, FinCEN may require financial The general guidelines specify that the record search need institutions to perform a search of their records to only encompass current accounts and accounts maintained determine whether they maintain or have maintained by a named subject during the preceding twelve (12) accounts for, or have engaged in transactions with, any months, and transactions not linked to an account specified individual, entity, or organization. This process conducted by a named subject during the preceding six (6) involves providing a Section 314(a) Request to the months. Any record described above that is not maintained financial institutions. Such lists are issued to financial in electronic form need only be searched if it is required to institutions every by FinCEN. be kept under federal law or regulation.

Each Section 314(a) request has a unique tracking number. Again, if the specific guidelines or the timeframe of The general instructions for a Section 314(a) Request records to be searched on a Section 314(a) Request differ require financial institutions to complete a one-time search from the general guidelines, they should be followed to the of their records and respond to FinCEN, if necessary, extent possible. For example, if a particular Section 314(a) within two weeks. However, individual requests can have Request asks financial institutions to search their records different deadline dates. Any specific guidelines on the back eight years, the financial institutions should honor request supercede the general guidelines. such requests to the extent possible, even though BSA recordkeeping requirements generally do not require Designated Point-of-Contact for Section 314(a) Requests records to be retained beyond five years.

All financial institutions shall designate at least one point- Reporting of “Matches” of-contact for Section 314(a) requests and similar information requests from FinCEN. FDIC-supervised Financial institutions typically have a two-week window to financial institutions must promptly notify the FDIC of any complete the one-time search and respond, if necessary to changes to the point-of-contact, which is reported on each FinCEN. If a financial institution identifies an account or . transaction by or on behalf of an individual appearing on a Section 314(a) Request, it must report back to FinCEN that Financial Institution Records Required to be Searched it has a “positive match,” unless directed otherwise. When reporting this information to FinCEN, no additional details, The records that must be searched for a Section 314(a) unless otherwise instructed, should be provided other than Request are specified in the request itself. Using the the fact that a “positive match” has been identified. In identifying information contained in the 314(a) request, situations where a financial institution is unsure of a match, financial institutions are required to conduct a one-time it may contact the law enforcement agency specified in the search of the following records, whether or not they are Section 314(a) Request. Negative responses to Section kept electronically (subject to the limitations below): 314(a) Requests are not required; the financial institution

Bank Secrecy Act (12-04) 8.1-14 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 does not need to respond to FinCEN on a Section 314(a) Financial institutions must protect the security of the Request if there are no matches to the institution’s records. Section 314(a) Requests, as they are confidential. As Financial institutions are to be reminded that unless a name stated previously, a financial institution must not tip off a is repeated on a subsequent Section 314(a) Request, that customer that he/she is the subject of a Section 314(a) name does not need to be searched again. Request. Similarly, a financial institution cannot disclose to any person or entity, other than to FinCEN, its primary The financial institution must not notify a customer that Federal functional regulator, or the Federal law he/she has been included on a Section 314(a) Request. enforcement agency on whose behalf FinCEN is requesting Furthermore, the financial institution must not tell the information, the fact that FinCEN has requested or customer that he/she is under investigation or that he/she is obtained information from a Section 314(a) Request. suspected of criminal activity. FinCEN has stated that an affiliated group of financial Restrictions on Use of Section 314(a) Requests institutions may establish one point-of-contact to distribute the Section 314(a) Requests for the purpose of responding A financial institution may only use the information to requests. However, the Section 314(a) Requests should identified in the records search to report “positive matches” not be shared with foreign affiliates or foreign subsidiaries to FinCEN and to file, when appropriate, SARs. If the (unless the request specifically states otherwise), and the financial institution has a “positive match,” account lists cannot be shared with affiliates or subsidiaries of bank activity with that customer or entity is not prohibited; it is holding companies that are not financial institutions. acceptable for the financial institution to open new accounts or maintain current accounts with Section 314(a) Notwithstanding the above restrictions, a financial Request subjects; the closing of accounts is not required. institution is authorized to share information concerning an However, the Section 314(a) Requests may be useful as a individual, entity, or organization named in a Section determining factor for such decisions if the financial 314(a) Request from FinCEN with other financial institution so chooses. Unlike OFAC lists, Section 314(a) institutions and/or financial institution associations in Requests are not permanent “watch lists.” In fact, Section accordance with the certification and procedural 314(a) Requests are not updated or corrected if an requirements of Section 314(b) of the USA PATRIOT Act investigation is dropped, a prosecution is declined, or a discussed below. However, such sharing shall not disclose subject is exonerated, as they are point-in-time inquiries. the fact that FinCEN has requested information on the Furthermore, the names provided on Section 314(a) subjects or the fact that they were included within a Section Requests do not necessarily correspond to convicted or 314(a) Request. indicted persons; rather, a Section 314(a) Request subject need only be “reasonably suspected,” based on credible Internal Financial Institution Measures for Protecting evidence of engaging in terrorist acts or money laundering Section 314(a) Requests to appear on . In order to protect the confidentiality of the Section 314(a) SAR Filings Requests, these documents should only be provided to financial institution personnel who need the information to If a financial institution has a positive match within its conduct the search and should not be left in an unprotected records, it is not required to automatically file a SAR on or unsecured area. A financial institution may provide the the identified subject. In other words, the subject’s Section 314(a) Request to third-party information presence on the Section 314(a) Request should not be the technology service providers or vendors to sole factor in determining whether to file a SAR. perform/facilitate the record searches so long as it takes the However, prudent BSA compliance practices should ensure necessary steps to ensure that the third party appropriately that the subject’s accounts and transactions be scrutinized safeguards the information. It is important to remember for suspicious or unusual activity. If, after such a review is that the financial institution remains ultimately responsible performed, the financial institution’s management has for the performance of the required searches and to protect determined that the subject’s activity is suspicious, the security and confidentiality of the Section 314(a) unusual, or inconsistent with the customer’s profile, then Requests. the timely filing of an SAR would be warranted. Each financial institution must maintain adequate Confidentiality of Section 314(a) Requests procedures to protect the security and confidentiality of requests from FinCEN. The procedures to ensure confidentiality will be considered adequate if the financial

DSC Risk Management Manual of Examination Policies 8.1-15 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 institution applies procedures similar to those it has established to comply with Section 501 of the Gramm- • Identifying and, where appropriate, reporting on Leach-Bliley Act (15 USC 6801) with regard to the money laundering or terrorist activities; protection of its customers’ non-public personal • Determining whether to establish or maintain an information. account, or to engage in a transaction; or • Assisting in the purposes of complying with this Financial institutions should keep a log of all Section section. 314(a) Requests received and any “positive matches” identified and reported to FinCEN. Additionally, Annual Certification Requirements documentation that all required searches were performed is essential. The financial institution should not need to keep In order to avail itself to the statutory safe harbor copies of the Section 314(a) Requests, noting the unique protection, a financial institution or financial institution tracking number will suffice. Some financial institutions association must annually certify with FinCEN stating its may choose to destroy the Section 314(a) Requests after intent to engage in information sharing with other searches are performed. If a financial institution chooses similarly-certified entities. It must further state that it has to keep the Section 314(a) Requests for audit/internal established and will maintain adequate procedures to review purposes, it should not be criticized for doing so, as protect the security and confidentiality of the information, long as it appropriately secures them and protects their as if the information were included in one of its own SAR confidentiality. filings. The annual certification process involves completing and submitting a “Notice for Purposes of FinCEN has provided financial institutions with general Subsection 314(b) of the USA PATRIOT Act and 31 CFR instructions, FAQs, and additional guidance relating to the 103.110.” The notice can be completed and electronically Section 314(a) Request process. These documents are submitted to FinCEN via their website. Alternatively, the revised periodically and may be found on FinCEN’s Web notice can be mailed to the following address: FinCEN, site. P.O. Box 39, Mail Stop 100, Vienna, VA 22183. It is important to mention that if a financial institution or Section 314(b) - Voluntary Information financial institution association improperly uses its Section Sharing 314(b) permissions, its certification can be revoked by either FinCEN or by its Federal Banking Agency. Section 314(b) of the USA PATRIOT Act encourages financial institutions and financial institution associations Failure to follow the Section 314(b) annual certification (for example, bank trade groups and associations) to share requirements will result in the loss of the financial information on individuals, entities, organizations, and institution or financial institution association’s statutory countries suspected of engaging in possible terrorist safe harbor and could result in a violation of laws activity or money laundering. Section 314(b) limits the or other laws and regulations. definition of “financial institutions” used within Section 314(a) of USA PATRIOT Act to include only those Verification Requirements institutions that are required to establish and maintain an anti-money laundering program; this definition includes, A financial institution must take reasonable steps to verify but is not limited to, banking entities regulated by the that the other financial institution(s) or financial institution Federal Banking Agencies. The definition specifically association(s) with which it intends to share information excludes any institution or class of institutions that FinCEN has also performed the annual certification process has designated as ineligible to share information. Section discussed above. Such verification can be performed by 314(b) also describes the safe harbor from civil liability reviewing the lists of other 314(b) participants that are that is provided to financial institutions that appropriately periodically provided by FinCEN. Alternatively, the share information within the limitations and requirements financial institution or financial institution association can specified in the regulation. confirm directly with the other party that the certification process has been completed. Restrictions on Use of Shared Information Other Important Requirements and Restrictions Information shared on a subject from a financial institution or financial institution association pursuant to Section Section 314(b) requires virtually the same care and 314(b) cannot be used for any purpose other than the safeguarding of sensitive information as Section 314(a), following: whether the bank is the “provider” or “receiver” of

Bank Secrecy Act (12-04) 8.1-16 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 information. Refer to the discussions provided above and An effective CDD program protects the reputation of the within “Section 314(a) – Mandatory Information Sharing institution by: Between the U.S. Government and Financial Institutions” for detailed guidance on: • Preventing unusual or suspicious transactions in a timely manner that potentially exposes the institution • SAR Filings and to financial loss or increased expenses; • Confidentiality of Section 314(a) Requests (including • Avoiding criminal exposure from individuals who use the embedded discussion entitled “Internal Financial the institution’s resources and services for illicit Institution Measures for Protecting Section 314(a) purposes; and Requests”). • Ensuring compliance with BSA regulations and adhering to sound and recognized banking practices. Actions taken pursuant to shared information do not affect a financial institution’s obligations to comply with all BSA CDD Program Guidance and OFAC rules and regulations. For example, a financial institution is still obligated to immediately contact law CDD programs should be tailored to each institution’s enforcement and its Federal regulatory agency, by BSA/AML risk profile; consequently, the scope of CDD telephone, when a significant reportable violation requiring programs will vary. While smaller institutions may have immediate attention (such as one that involves the more frequent and direct contact with customers than their financing of terrorist activity or is of an ongoing nature) is counterparts in larger institutions, all institutions should being conducted; thereafter, a timely SAR filing is still adopt and follow an appropriate CDD program. required. An effective CDD program should: FinCEN has provided financial institutions with general instructions, registration forms, FAQs, and additional • Be commensurate with the institution’s BSA/AML guidance relating to the Section 314(b) information sharing risk profile, paying particular attention to higher risk process. These documents are revised periodically and customers, may be found on FinCEN’s website. • Contain a clear statement of management’s overall expectations and establish specific staff responsibilities, and CUSTOMER DUE DILIGENCE (CDD) • Establish monitoring systems and procedures for identifying transactions or activities inconsistent with a The cornerstone of strong BSA/AML programs is the customer’s normal or expected banking activity. adoption and implementation of comprehensive CDD policies, procedures, and controls for all customers, Customer Risk particularly those that present a higher risk for money laundering and terrorist financing. The concept of CDD As part of an institution’s BSA/AML risk assessment, incorporates and builds upon the CIP regulatory many institutions evaluate and apply a BSA/AML risk requirements for identifying and verifying a customer’s rating to its customers. Under this approach, the institution identity. will obtain information at account opening sufficient to develop a “customer transaction profile” that incorporates The goal of a CDD program is to develop and maintain an an understanding of normal and expected activity for the awareness of the unique financial details of the institution’s customer’s occupation or business operations. While this customers and the ability to relatively predict the type and practice may not be appropriate for all institutions, frequency of transactions in which its customers are likely management of all institutions should have a thorough to engage. In doing so, institutions can better identify, understanding of the money laundering or terrorist research, and report suspicious activity as required by BSA financing risks of its customer base and develop and regulations. Although not required by statute or regulation, implement the means to adequately mitigate these risks. an effective CDD program provides the critical framework that enables the institution to comply with regulatory Due Diligence for Higher Risk Customers requirements. Customers that pose higher money laundering or terrorist Benefits of an Effective CDD Program financing risks present increased exposure to institutions. Due diligence for higher risk customers is especially

DSC Risk Management Manual of Examination Policies 8.1-17 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 critical in understanding their anticipated transactions and • activities; implementing a suspicious activity monitoring system that • Numbered accounts; reduces the institution’s reputation, compliance, and • Pouch activities; transaction risks. Higher risk customers and their • Special use accounts; transactions should be reviewed more closely at account • Wire transfer activities; and opening and more frequently throughout the term of the • Electronic banking. relationship with the institution. Financial institutions offering these higher risk products The USA PATRIOT Act requires special due diligence at and services must enhance their AML and CDD account opening for certain foreign accounts, such as procedures to ensure adequate scrutiny of these activities foreign correspondent accounts and accounts for senior and the customers conducting them. foreign political figures. An institution’s CDD program should include policies, procedures, and controls Non-Bank Financial Institutions and reasonably designed to detect and report money laundering through correspondent accounts and private banking Money Service Businesses accounts that are established or maintained for non-U.S. persons. Guidance regarding special due diligence Non-bank financial institutions (NBFIs) are broadly requirements is provided in the next section entitled defined as institutions that offer financial services. “Banking Services and Activities with Greater Potential for Traditional financial institutions (“banks” for this Money Laundering and Enhanced Due Diligence discussion) that maintain account relationships with NBFIs Procedures.” are exposed to a higher risk for potential money laundering activities because these entities are less regulated and may have limited or no documentation on their customers. BANKING SERVICES AND ACTIVITIES Additionally, banks may likewise be exposed to possible OFAC violations for unknowingly engaging in or WITH GREATER POTENTIAL FOR facilitating prohibited transactions through a NBFI account MONEY LAUNDERING AND ENHANCED relationship. DUE DILIGENCE PROCEDURES NBFIs include, but are not limited to: Certain financial services and activities are more vulnerable to being exploited in money laundering and • Casinos or card clubs; terrorist financing activities. These conduits are often • Securities brokers/dealers; and utilized because each typically presents an opportunity to • Money Service Businesses (MSBs) move large amounts of funds embedded within a large o currency dealers or exchangers; number of similar transactions. Most activities discussed o check cashers; in this section also offer access to international banking o issuers, sellers, or redeemers of traveler’s and financial systems. The ability of U.S. financial checks, money orders, or stored value cards; institutions to conduct the appropriate level of due o money transmitters; and diligence on customers of foreign banks, offshore and shell o U.S. Post Offices (money orders). banks, and foreign branches is often severely limited by the laws and banking practices of other countries. Money Service Businesses

While international AML and Counter-Terrorist Financing As indicated above, MSBs are a subset of NBFIs. (CTF) standards are improving through efforts of several Regulations for MSBs are included within 31 CFR 103.41. international groups, U.S. financial institutions will still All MSBs were required to register with FinCEN using need effective systems in their AML and CTF programs to Form TD F 90-22.55 by December 31, 2001, or within 180 understand the quality of supervision and assess the days after the business begins operations. Thereafter, each integrity and effectiveness of controls in other countries. MSB must renew its registration every two years. Higher risk areas discussed in this section include: MSBs are a major industry, and typically operate as • Non-bank financial institutions (NBFIs), including independent businesses. Relatively few MSBs are chains money service businesses (MSBs); that operate in multiple states. MSBs can be sole-purpose • Foreign correspondent banking relationships; entities but are frequently tied to another business such as a • Payable-through accounts; liquor store, bar, grocery store, gas station, or other multi-

Bank Secrecy Act (12-04) 8.1-18 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 purpose entity. As a result, many MSBs are frequently unaware of their legal and regulatory requirements and Exemptions from CTR Filing Requirements have been historically difficult to detect. A bank may find it necessary to inform MSB customers about the MSBs are subject to BSA regulations and OFAC sanctions appropriate MSB regulations and requirements. and, as such, should be filing CTRs, screening customers for OFAC matches, and filing SARs, as appropriate. Most legitimate MSBs should not refuse to follow MSBs cannot exempt their customers from CTR filing regulations once they have been informed of the requirements like banks can, and banks may not exempt requirements. If they do, the bank should closely MSB customers from CTR filing, unless the “50 Percent scrutinize the MSBs activities and transactions for possible Rule” applies. suspicious activity. The “50 Percent Rule” states that if a MSB derives less MSBs typically do not establish on-going customer than 50 percent of its gross cash receipts from money relationships, and this is one of the reasons that MSB service activities, then it can be exempted. If the bank customers are considered higher risk. Since MSBs do not exempts a MSB customer under the “50 Percent Rule,” it have continuous relationships with their clients, they should have documentation evidencing the types of generally do not obtain key due diligence documentation, business conducted, receipt volume, and estimations of making customer identification and suspicious transaction MSB versus non-MSB activity. identification more difficult. Policies and Procedures for Opening and Monitoring Banks with MSB customers also have a risk in processing NBFI and MSB Relationships third-party transactions through their payment and other banking systems. MSB transactions carry an inherent Banks that maintain account relationships with NBFIs or potential for the facilitation of layering. MSBs can be MSBs should perform greater due diligence for these conduits for illicit cash and monetary instrument customers given their higher risk profile. Management transactions, check kiting, concealing the ultimate should implement the following due diligence procedures beneficiary of the funds, and facilitating the processing of for MSBs: forged or fraudulent items such as treasury checks, money orders, traveler’s checks, and personal checks. • Identify all NBFI/MSB accounts; • Determine that the business has met local licensing MSB Agents requirements; • Ascertain if the MSB has registered or re-registered MSBs that are agents of such commonly known entities as with FinCEN and obtain a copy of the filing or verify Moneygram or Western Union should be aware of their the filing on FinCEN’s website; legal requirements. Agents of such money transmitters, • Determine if the MSB has procedures to comply with unless they offer another type of MSB activity, do NOT BSA regulations and OFAC monitoring; have to independently register with FinCEN, but are • Establish the types and amounts of maintained on an agency list by the “actual” MSB (such as currencies/instruments handled, and any additional Western Union). However, this “actual” MSB is services provided; responsible for providing general training and information • Note the targeted customer base; requirements to their agents and for aggregating • Determine if the business sends or receives transactions on a nationwide basis, as appropriate. international wires and the nature of the activity; • Determine if the MSB has procedures to monitor and Check Cashers report suspicious activity; and

• Obtain a copy of the MSBs independent BSA review, FinCEN defines a check casher as a business that will cash if available. checks and/or sell monetary or other instruments over

$1,000 per customer on any given day. If a company, such Management should document in writing the responses to as a local mini-market, will cash only personal checks up to the items above and update MSB customer files at least $100 per day AND it provides no other financial services annually. In addition, management should continue to or instruments (such as money orders or money monitor these higher risk accounts for suspicious activity. transmittals), then that company would NOT be considered The FDIC does not expect the bank to perform an a check casher for regulatory purposes or have to register examination of the MSB; however, the bank should take as an MSB.

DSC Risk Management Manual of Examination Policies 8.1-19 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 reasonable steps to document that MSB customers are termination of the foreign correspondent account. Such aware of and are complying with appropriate regulations. foreign correspondent relationships need only be terminated upon the U.S. financial institution’s written For additional information, examiners should instruct bank receipt of such instruction from either the Secretary of the management to consult the FinCEN website developed Treasury or the U.S. Attorney General. If the U.S. specifically for MSBs. This website contains guidance, financial institution fails to terminate relationships after registration forms, and other materials useful for MSBs to receiving notification, the U.S. institution may face civil understand and comply with BSA regulations. Bank money penalties. customers who are uncertain if they are covered by the definition of MSBs can also visit this site to determine if The Treasury was also granted broad authority by the USA their business activities qualify. PATRIOT Act (codified in 31 USC 5318[A]), allowing it to establish special measures. Such special measures can Foreign Correspondent Banking be established which require U.S. financial institutions to Relationships perform additional recordkeeping and/or reporting or require a complete prohibition of accounts and transactions Correspondent accounts are accounts that financial with certain countries and/or specified foreign financial institutions maintain with each other to handle transactions institutions. The Treasury may impose such special for themselves or for their customers. Correspondent measures by regulation or order, in consultation with other accounts between a foreign bank and U.S. financial regulatory agencies, as appropriate. institutions are much needed, as they facilitate international trade and investment. However, these relationships may Shell Banks pose a higher risk for money laundering. Sections 313 and 319 of the USA PATRIOT Act Transactions through foreign correspondent accounts are implemented (by 31 CFR 103.177 and 103.185, typically large and would permit movement of a high respectively) a new provision of the BSA that relates to volume of funds relatively quickly. These correspondent foreign correspondent accounts. Covered financial accounts also provide foreign entities with ready access to institutions (CFI) are prohibited from establishing, the U.S. financial system. These banks and other financial maintaining, administering, or managing a correspondent institutions may be located in countries with unknown account in the U.S. for or on behalf of a foreign shell bank. AML regulations and controls ranging from strong to weak, corrupt, or nonexistent. A correspondent account, under this regulation, is defined as an account established by a CFI for a foreign bank to The USA PATRIOT Act establishes reporting and receive deposits from, to make payments or other documentation requirements for certain high-risk areas, disbursements on behalf of a foreign financial institution, including: or to handle other financial transactions related to the foreign bank. An account is further defined as any formal • Special due diligence requirements for correspondent banking or business relationship established to provide: accounts and private banking accounts which are addressed in 31 CFR 103.181. • Regular services, • Verification procedures for foreign correspondent • Dealings, and account relationships which are included in 31 CFR • Other financial transactions, 103.185. • Foreign banks with correspondent accounts at U.S. and may include: financial institutions must produce bank records, including information on ownership, when requested • Demand deposits, by regulators and law enforcement, as detailed in • Savings deposits, Section 319 of the USA PATRIOT Act and codified at • Any other transaction or asset account, 31 CFR 103.185. • Credit account, or • Any other extension of credit. The foreign correspondent records detailed above are to be provided within seven days of a law enforcement request A foreign shell bank is defined as a foreign bank without a and within 120 hours of a Federal regulatory request. physical presence in any country. Physical presence means Failure to provide such records in a timely manner may a place of business that: result in the U.S. financial institution’s required

Bank Secrecy Act (12-04) 8.1-20 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Is maintained by a foreign bank; law enforcement can serve a subpoena or other legal • Is located at a fixed address (other than solely an document upon the foreign correspondent bank. electronic address or a post-office box) in a country in which the foreign bank is authorized to conduct Certification Process banking activities; • Provides at that fixed address: To facilitate information collection, the Treasury, in o One or more full-time employees, coordination with the banking industry, Federal regulators o Operating records related to its banking and law enforcement agencies, developed a certification activities; and process using special forms to standardize information • Is subject to inspection by the banking authority that collection. The use of these forms is not required; licensed the foreign bank to conduct banking however, the information must be collected regardless. activities. The CFI must update, or re-certify, the foreign correspondent information at least once every three years. There is one exception to the shell bank prohibition. This exception allows a CFI to maintain a correspondent For new accounts, this certification information must be account with a foreign shell bank if it is a regulated obtained within 30 calendar days after the opening date. If affiliate. As a regulated affiliate, the shell bank must meet the CFI is unable to obtain the required information, it the following requirements: must close all correspondent accounts with that foreign bank within a commercially reasonable time. The CFI • The shell bank must be affiliated with a depository should review certifications to verify their accuracy. The institution (bank or credit union, either U.S. or review should look for potential problems that may warrant foreign) in the U.S. or another foreign jurisdiction. further research or information. Should a CFI know, • The shell bank must be subject to supervision by the suspect, or have reason to suspect that any certification banking authority that regulates the affiliated entity. information is no longer correct, the CFI must request the foreign bank to verify or correct such information within Furthermore, in any foreign correspondent relationship, the 90 days. If the information is not corrected within that CFI must take reasonable steps to ensure that such an time, the CFI must close all correspondent accounts with account is not being used indirectly to provide banking that institution within a commercially reasonable time. services to other foreign shell banks. If the CFI discovers that a foreign correspondent account is providing indirect Foreign Correspondent Banking services in this manner, then it must either prohibit the Money Laundering Risks indirect services to the foreign shell bank or close down the foreign correspondent account. This activity is referred to Foreign correspondent accounts provide access to as “nested” correspondent banking and is discussed in foreign financial institutions and their customers, which greater detail below under “Foreign Correspondent may include other foreign banks. Many U.S. financial Banking Money Laundering Risks.” institutions fail to ascertain the extent to which the foreign banks will allow other foreign banks to use their U.S. Required Recordkeeping on accounts. Many high-risk foreign financial institutions Correspondent Banking Accounts have gained access to the U.S. financial system by operating through U.S. correspondent accounts belonging As mentioned previously, a CFI that maintains a foreign to other foreign banks. These are commonly referred to as correspondent account must also maintain records “nested” correspondent banks. identifying the owners of each foreign bank. To minimize recordkeeping burdens, ownership information is not Such nested correspondent bank relationships result in the required for: U.S. financial institution’s inability to identify the ultimate customer who is passing a transaction through the foreign • Foreign banks that file form FR-7 with the Federal correspondent’s U.S. account. These nested relationships Reserve, or may prevent the U.S. financial institution from effectively • Publicly traded foreign banks. complying with BSA regulations, suspicious activity reporting, and OFAC monitoring and sanctions. A CFI must also record the name and street address of a person who resides in the U.S. and who is willing to accept If a U.S. financial institution’s due diligence or monitoring service of legal process on behalf of the foreign institution. system identifies the use of such nested accounts, the U.S. In other words, the CFI must collect information so that

DSC Risk Management Manual of Examination Policies 8.1-21 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 financial institution should do one or more of the agency (such as the Financial Action Task Force following: [FATF]) as being a primary money laundering concern; or • Perform due diligence on the nested users of the • Located in a bank secrecy or money laundering haven. foreign correspondent account, to determine and verify critical information including, but not limited to, the Internal financial institution policies should focus following: compliance efforts on those accounts that represent a o Ownership information, higher risk of money laundering. U.S. financial institutions o Service of legal process contact, may use their own risk assessment or incorporate the best o Country of origin, practices developed by industry and regulatory o AML policies and procedures, recommendations. o Shell bank and licensing status, o Purpose and expected volume and type of Offshore Banks transactions; • Restrict business through the foreign correspondent’s An is one which does not transact business accounts to limited transactions and/or purposes; and with the citizens of the country that licenses the bank. For • Terminate the initial foreign correspondent account example, a bank is licensed as an offshore bank in Spain. relationship. This institution may do business with anyone in the world except for the citizens of Spain. Offshore banks are Necessary Due Diligence on Foreign typically a revenue generator for the host country and may Correspondent Accounts not be as closely regulated as banks that provide financial services to the host country’s citizens. The host country Because of the heightened risk related to foreign may also have lax AML standards, controls, and correspondent banking, the U.S. financial institution needs enforcement. As such, offshore licenses can be appealing to assess the money laundering risks associated with each to those wishing to launder illegally obtained funds. of its correspondent accounts. The U.S. financial institution should understand the nature of each account The FATF designates Non-Cooperative Countries and holder’s business and the purpose of the account. In Territories (NCCTs). These countries have been so addition, the U.S. financial institution should have an designated because they have not applied the expected volume and type of transaction anticipated for recommended international anti-money laundering each foreign bank customer. standards and procedures to their financial systems. The money laundering standards established by FATF are When a new relationship is established, the U.S. financial known as the Forty Recommendations. Further discussion institution should assess the management and financial of the Forty Recommendations and NCCTs can be found at condition of the foreign bank, as well as its AML programs the FATF website. and the home country’s money laundering regulations and supervisory oversight. These due diligence measures are in Payable Through Accounts addition to the minimum regulation requirements. A payable through account (PTA) is a Each U.S. financial institution maintaining foreign account through which banking agencies located in the correspondent accounts must establish appropriate, U.S. extend check writing privileges to the customers of specific, and, where necessary, enhanced due diligence other domestic or foreign institutions. PTAs have long policies, procedures, and controls as required by 31 CFR been used in the U.S. by credit unions (for example, for 103.181. The U.S. financial institution’s AML policies checking account services) and investment companies (for and programs should enable it to reasonably detect and example, for checking account services associated with report instances of money laundering occurring through the money market management accounts) to offer customers use of foreign correspondent accounts. the full range of banking services that only a has the ability to provide. The regulations specify that additional due diligence must be completed if the foreign bank is: International PTA Use

• Operating under an offshore license; Under an international PTA arrangement, a U.S. financial • Operating under a license granted by a jurisdiction institution, Edge corporation, or the U.S. branch or agency designated by the Treasury or an intergovernmental of a foreign bank (U.S. banking entity) opens a master

Bank Secrecy Act (12-04) 8.1-22 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 checking account in the name of a foreign bank operating outside the U.S. The master account is subsequently Risks Associated with Payable Through Accounts divided by the foreign bank into "sub-accounts" each in the name of one of the foreign bank's customers. Each sub- The PTA arrangement between a U.S. banking entity and a account holder becomes a signatory on the foreign bank's foreign bank may be subject to the following risks: account at the U.S. banking entity and may conduct banking activities through the account. • Money Laundering risk – the risk of possible illegal or improper conduct flowing through the PTAs. Financial institution regulators have become aware of the • OFAC risk – the risk that the U.S. banking entity does increasing use of international PTAs. These accounts are not know the ultimate PTA customers which could being marketed by U.S. financial institutions to foreign facilitate the completion of sanctioned or blocked banks that otherwise would not have the ability to offer transactions. their customers direct access to the U.S. banking system. • Credit risk - the risk the foreign bank will fail to While PTAs provide legitimate business benefits, the perform according to the terms and conditions of the operational aspects of the account make it particularly PTA agreement, either due to bankruptcy or other vulnerable to abuse as a mechanism to launder money. In financial difficulties. addition, PTAs present unique safety and soundness risks • Settlement risk - the risk that arises when the U.S. to banking entities in the U.S. banking entity pays out funds before it can be certain that it will receive the corresponding deposit from the Sub-account holders of the PTA master accounts at the foreign bank. U.S. banking entity may include other foreign banks, rather • Country risk - the risk the foreign bank will be unable than just individuals or corporate accounts. These second- to fulfill its international obligations due to domestic tier foreign banks then solicit individuals as customers. strife, revolution, or political disturbances. This may result in thousands of individuals having • Regulatory risk - the risk that deposit and withdrawal signatory authority over a single account at a U.S. banking transactions through the PTA may violate State and/or entity. The PTA mechanism permits the foreign bank Federal laws and regulations. operating outside the U.S. to offer its customers, the sub- account holders, U.S. denominated checks and ancillary Unless a U.S. banking entity is able to identify adequately, services, such as the ability to receive wire transfers to and and understand the transactions of the ultimate users of the from sub-accounts and to cash checks. Checks are foreign bank's account maintained at the U.S. banking encoded with the foreign bank's account number along with entity, there is a potential for serious illegal conduct. a numeric code to identify the sub-account. Because of the possibility of illicit activities being Deposits into the U.S. master account may flow through conducted through PTAs at U.S. banking entities, financial the foreign bank, which pools them for daily transfer to the institution regulators believe it is inconsistent with the U.S. banking entity. Funds may also flow directly to the principles of safe and sound banking for U.S. banking U.S. banking entity for credit to the master account, with entities to offer PTA services without developing and further credit to the sub-account. maintaining policies and procedures designed to guard against the possible improper or illegal use of PTA Benefits Associated with Payable Through Accounts facilities.

While the objectives of U.S. financial institutions Policy Recommendations marketing PTAs and the foreign banks which subscribe to the PTA service may vary, essentially three benefits Policies and procedures must be fashioned to enable each currently drive provider and user interest: U.S. banking entity offering PTA services to foreign banks to: • PTAs permit U.S. financial institutions to attract dollar deposits from the home market of foreign banks • Identify sufficiently the ultimate users of its foreign without jeopardizing the foreign bank's relationship bank PTAs, including obtaining (or having the ability with its clients. to obtain) substantially the same type of information • PTAs provide fee income potential for both the U.S. on the ultimate users as the U.S. banking entity obtains PTA provider and the foreign bank. for its domestic customers. • Foreign banks can offer their customers efficient and • Review the foreign bank's own procedures for low-cost access to the U.S. banking system. identifying and monitoring sub-account holders, as

DSC Risk Management Manual of Examination Policies 8.1-23 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 well as the relevant statutory and regulatory customers may be conducting more complex transactions requirements placed on the foreign bank to identify and using services that facilitate international transactions. and monitor the transactions of its own customers by Because of these attributes, private banking also appeals to its home country supervisory authorities. money launderers. • Monitor account activities conducted in the PTAs with foreign banks and report suspicious or unusual activity Examiners should evaluate the financial institution in accordance with Federal regulations. management’s ability to measure and control the risk of money laundering in the private banking area and Termination of PTAs determine if adequate AML policies, procedures, and oversight are in place to ensure compliance with laws and It is recommended the U.S. banking entity terminate a PTA regulations and adequate identification of suspicious with a foreign bank as expeditiously as possible in the activities. following situations: Policy Recommendations • Adequate information about the ultimate users of the PTAs cannot be obtained. At a minimum, the financial institution’s private banking • The U.S. banking entity cannot adequately rely on the policies and procedures should address: home country supervisor to require the foreign bank to identify and monitor the transactions of its own • Acceptance and approval of private banking clients; customers. • Desired or targeted client base; • The U.S. banking entity is unable to ensure that its • Products and services that will be offered; PTAs are not being used for money laundering or • Effective account opening procedures and other illicit purposes. documentation requirements; and • The U.S. banking entity identifies ongoing suspicious • Account review upon opening and ongoing thereafter. and unusual activities dominating the PTA transactions. In addition, the financial institution must:

Private Banking Activities • Document the identity and source of wealth on all customers requesting custody or private banking Private banking has proven to be a profitable operation and services; is a fast-growing business in U.S. financial institutions. • Understand each customer’s net worth, account needs, Although the financial service industry does not use a as well as level and type of expected activity; standard definition for private banking, it is generally held • Verify the source and accuracy of private banking that private banking services include an array of all- referrals; inclusive deposit account, lending, investment, trust, and • Verify the origins of the assets or funds when cash management services offered to high net worth transactions are received from other financial service customers and their business interests. Not all financial providers; institutions operate private banking departments, but they • Review employment and business information, income typically offer special attention to their best customers and levels, financial statements, net worth, and credit ensure greater privacy concerning the transactions and reports; and activities of these customers. Smaller institutions may • Monitor the account relationship by: offer similar services to certain customers while not o Reviewing activity against customer profile specifically referring to this activity as private banking. expectations, o Investigating extraordinary transactions, Confidentiality is a vital element in administering private o Maintaining an administrative file banking relationships. Although customers may choose documenting the customer’s profile and private banking services to manage their assets, they may activity levels, also seek confidential ownership of their assets or a safe, o Maintaining documentation that details legal haven for their capital. When acting as a fiduciary, personal observations of the customer’s financial institutions may have statutory, contractual, or business and/or personal life, and ethical obligations to uphold customer confidentiality. o Ensuring that account reviews are completed periodically by someone other than the Typically, a private banking department will service a private banking officer. financial institution’s wealthy foreign customers, as these

Bank Secrecy Act (12-04) 8.1-24 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Financial institutions should ensure, through independent • Documentation showing the source of funds; and review, that private banking account officers have adequate • Enhanced scrutiny of accounts and transactions of documentation for accepting new private banking account senior foreign political figures, also known as funds and are performing the responsibilities detailed “politically exposed persons” (PEPs). above. Identity Verification Enhanced Due Diligence for Non-U.S. Persons Maintaining Private Banking Accounts The financial institution is expected to take reasonable steps to verify the identity of both the nominal and the Section 312 of the USA PATRIOT Act, implemented by beneficial owners of private banking accounts. Often, 31 CFR 103.181, requires U.S. financial institutions that private banking departments maintain customer maintain private banking accounts for non-U.S. persons to information in a central confidential file or use code names establish enhanced due diligence policies, procedures, and in order to protect the customer’s privacy. Because of the controls that are designed to detect and report money nature of the account relationship with the bank liaison and laundering. the focus on a customer’s privacy, customer profile information has not always been well documented. Private banking accounts subject to requirements under Section 312 of the USA PATRIOT Act include: Other methods used to maintain customer privacy include:

• Accounts, or any combination of accounts with a • Private Investment Corporation (PIC), minimum deposit of funds or other assets of at least $1 • Offshore Trusts, and million; • Token Name Accounts. • Accounts established for one or more individuals (beneficial owners) that are neither U.S. citizens, nor PICs are established to hold a customer’s personal assets in lawful permanent residents of the U.S.; or a separate legal entity. PICs offer confidentiality of • Accounts assigned to or managed by an officer, ownership, hold assets centrally, and provide employee, or agent of a financial institution acting as a intermediaries between private banking customers and the liaison between the financial institution and the direct potential beneficiaries of the PICs or trusts. A PIC may or beneficial owner of the account. also be a trust asset. PICs are incorporated frequently in countries that impose low or no on company assets Regulations for private banking accounts specify that and operations, or are bank secrecy havens. They are enhanced due diligence procedures and controls should be sometimes established by the financial institution for established where appropriate and necessary with respect customers through their international affiliates – some high to the applicable accounts and relationships. The financial profile or political customers have a legitimate need for a institution must be able to show it is able to reasonably higher degree of financial privacy. However, financial detect suspicious and reportable money laundering institutions should exercise extra care when dealing with transactions and activities. beneficial owners of PICs and associated trusts because they can be misused to conceal illegal activities. Since A due diligence program is considered reasonable if it PICs issue bearer shares, anonymous relationships in which focuses compliance efforts on those accounts that represent the financial institution does not know and document the a high risk of money laundering. Private banking accounts beneficial owner should not be permitted. of foreign customers inherently indicate higher risk than many U.S. accounts; however, it is incumbent upon the Offshore trusts can operate similarly to PICs and can even financial institution to establish a reasonable level of include PICs as assets. Beneficial owners may be monitoring and review relative to the risk of the account numerous; regardless, the financial institution must have and/or department. records demonstrating reasonable knowledge and due diligence of beneficiary identities. Offshore trusts should A financial institution may use its own risk assessment or identify grantors of the trusts and sources of the grantors’ incorporate industry best practices into its due diligence wealth. program. Specific due diligence procedures required by Section 312 of USA PATRIOT Act include: Furthermore, OFAC screening may be difficult or impossible when transactions are conducted through PICs, • Verification of the identity of the nominal and offshore trusts, or token name accounts that shield true beneficial owners of an account; identities. Management must ensure that accounts

DSC Risk Management Manual of Examination Policies 8.1-25 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 maintained in a name other than that of the beneficial • Transactions exceed reasonable amounts in relation to owner are subject to the same level of filtering for OFAC the PEP’s known net worth. as other accounts. That is, the OFAC screening process • Transactions are large in relation to the PEP’s home must include the account’s beneficial ownership as well as country financial condition. the official account name. • PEP’s home country is economically depressed, yet the PEP’s home country transactions funding the Documentation of Source of Funds account remain high. • Customer refuses to disclose the nominal or beneficial Documentation of the source of funds deposited into a owner of the account or provides false or misleading private banking account is also required by Section 312 of information. the USA PATRIOT Act. Customers will frequently • Net worth and/or source of funds for the PEP are transfer large sums in single transactions and the financial unidentified. institution must document initial and ongoing monetary flows in order to effectively identify and report suspicious Additional discussion of due diligence procedures for these activity. Understanding how high net worth customers’ accounts can be found in interagency guidance issued in cash flows, operational income, and expenses flow through FDIC FIL-6-2001, dated in January 2001, “Guidance on a private banking relationship is an integral part of Enhanced Scrutiny for Transactions That May Involve the understanding the customer’s wealth picture. Due Proceeds of Foreign Official Corruption.” diligence will often necessitate that the financial institution thoroughly investigate the customer’s expected Fiduciary and Custody Services within the transactions. Private Banking Department

Enhanced Scrutiny of Politically Exposed Persons Although fiduciary and agency activities are circumscribed by formal trust laws, private banking clients may delegate Enhanced scrutiny of accounts and transactions involving varying degrees of authority (discretionary versus senior foreign political figures, their families and nondiscretionary) over assets under management to the associates is required by law in order to guard against financial institution. In all cases, the terms under which the laundering the proceeds of foreign corruption. assets are managed are fully described in a formal agreement, also known as the “governing instrument” Illegal activities related to foreign corruption were brought between the customer and the financial institution. under the definition of money laundering by Section 315 of USA PATRIOT Act. Abuses and corruption by political Even though the level of authority may encompass a wide officials not only negatively impacts their home country’s range of products and services, examiners should , but can also undermine international government determine the level of discretionary authority delegated to and working group efforts against money laundering. A private banking department personnel in the management financial institution doing business with corrupt PEPs can of these activities and the documentation required from be exposed to significant reputational risk, which could customers to execute transactions on their behalf. Private result in adverse financial impact through news articles, banking department personnel should not be able to loss of customers, and even civil money penalties (CMPs). execute transactions on behalf of their clients without Furthermore, a financial institution, its directors, officers, proper documentation from clients or independent and employees can be exposed to criminal charges if they verification of client instructions. did know or should have known (willful blindness) that funds stemmed from corruption or serious crimes. Concerning investments, fiduciaries are also required to exercise prudent investment standards, so the financial As such, PEP accounts can present a higher risk. institution must ensure that if it is co-trustee or under Enhanced scrutiny is appropriate in the following direction of the customer who retains investment situations: discretion, that the investments meet prudent standards and are in the best interest of the beneficiaries of the trust • Customer asserts a need to have the foreign political accounts. figure or related persons remain secret. • Transactions are requested to be performed that are Trust agreements may also be structured to permit the not expected given the customer’s account profile. grantor/customer to continue to add to the corpus of the • Amounts and transactions do not make sense in trust account. This provides another avenue to place funds relation to the PEP’s known income sources and uses.

Bank Secrecy Act (12-04) 8.1-26 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 into the banking system and may be used by money must be provided to employees reviewing transactions for launderers for that purpose. suspicious activity.

Investment management services have many similar If the financial institution chooses to use numbered characteristics to trust accounts. The accounts may be accounts, they must ensure that proper procedures are in discretionary or nondiscretionary. Transactions from place. Here are some minimum standards for numbered or clients through a private banking department relationship pseudonym accounts: manager should be properly documented and able to be independently verified. The portfolio manager should also • The BSA Officer should ensure that all required CIP document the investment objectives. information is obtained and well documented. The documentation should be readily available to Custodial services offered to private banking customers regulators upon request. include securities safekeeping, receipts and disbursements • Management should ensure that adequate suspicious of dividends and interest, recordkeeping, and accounting. activity review procedures are in place. These Custody relationships can be established in many ways, accounts are considered to be high risk, and, as such, including referrals from other departments in the financial should have enhanced scrutiny. In order to properly institution or from outside investment advisors. The monitor for unusual or suspicious activities, the customer, or designated financial advisor, retains full person(s) responsible for monitoring these accounts control of the of the property must have the identity of the customer revealed to subject to the custodianship. Sales and purchases of assets them. All transactions for these accounts should be are made by instruction from the customer, and cash reviewed at least once a month or more frequently. disbursements are prearranged or as instructed, again by • The financial institution’s system for performing the customer. In this case, it is important for the financial OFAC reviews, Section 314(a) Requests, or any other institution to know the customer. Procedures for proper inquiries on its customer databases, must be able to administration should be established and reviewed check the actual names and relevant information of frequently. these individuals. Typically the software will screen just the account name on the trial balance. Numbered Accounts Consequently, if the name is not on the trial balance, then it could be overlooked in this process. A numbered account, also known as a pseudonym account, Management should thoroughly document how it will is opened not under an individual or corporate name, but handle such situations, as well as each review that is under an assigned number or pseudonym. These types of performed. numbered accounts are typically services offered in the private banking department or the trust department, but Examiners should include the fact that the financial they can be offered anywhere in the institution. institution’s policy allows for numbered accounts on the “Confidential – Supervisory Section” page of the Report of Numbered accounts present some distinct customer Examination. Given the high risk nature of this account advantages when it comes to privacy. First, all of the type, examiners should review them at every examination computerized information is recorded using the number or to ensure that management is adequately handling these pseudonym, not the customer’s real name. This means that accounts. tellers, wire personnel, and various employees do not know the true identity of the customer. Furthermore, it protects Pouch Activities the customer against identity theft. If electronic financial records are stolen, the number or pseudonym will not Pouch activities involve the use of a common carrier to provide personal information. Statements and any transport currency, monetary instruments, and other documentation would simply show the number, not the documents usually from outside the U.S. to a domestic customer’s true name or social security number. bank account. Pouches can originate from an individual or another financial institution and can contain any kind of However, numbered accounts offered by U.S. financial document, including all forms of bank transactions such as institutions must still meet the requirements of the BSA demand deposits and loan payments. The contents of the and specific customer identification and minimum due pouch are not always subject to search while in transport, diligence documentation should be obtained. Account and considerable reliance is placed on the financial opening personnel must adequately document the customer institution’s internal control systems designed to account due diligence performed, and access to this information

DSC Risk Management Manual of Examination Policies 8.1-27 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 for the contents and their transfer into the institution’s accounts. Special Use Accounts

Vulnerabilities in pouch systems can be exploited by those Special use accounts are in-house accounts established to looking for an avenue to move illegally-gained funds into handle the processing of multiple customer transactions the U.S. Law enforcement has uncovered money within the financial institution. These accounts are also laundering schemes where pouches were used to transfer: known as concentration accounts, omnibus, or suspense accounts and serve as settlement accounts. They are used • Bulk currency, both U.S. and foreign, and in many areas of a financial institution, including private • Sequentially numbered monetary instruments, such as banking departments and in the wire transfer function. traveler’s checks and money orders. They present heightened money laundering risks because controls may be lax and an audit trail of customer Once these illegal funds are deposited into the U.S. information may not be easy to follow since transactions do financial institution, they can be moved – typically through not always maintain the customer identifying information use of a wire transfer – anywhere in the world. As such, with the transaction amount. In addition, many financial pouches are used by those looking to legitimize proceeds institution employees may have access to the account and and obscure the true source of the funds. have the ability to make numerous entries into and out of the account. Balancing of the special use account is also Financial institutions establish pouch activities primarily to not always the responsibility of one individual, although provide a service. The risks associated with a night deposit items posted in the account are usually expected to be drop box (one example of pouch activity) are very different processed or resolved and settled in one day. from financial institutions that provide document and currency transport from their international offices to Financial institutions that use special use accounts should banking offices in the U.S. implement risk-based procedures and controls covering access to and operation of these accounts. Procedures and A prime benefit of having pouch services is the speed with controls should ensure that the audit trail provides for which international transactions can be placed in the U.S. association of the identity of transactor, customer and/or domestic banking system by avoiding clearing a transaction direct or beneficial owner with the actual movement of the through several international banks in order to move the funds. As such, financial institutions must maintain funds into the U.S. This benefit is particularly complete records of all customer transactions passing advantageous for customers in countries that do not do through these special use accounts. At a minimum, such direct business with the U.S., including those countries records should contain the following information: that: • Customer name, • May require little or no customer identification, • Customer address, • Are well-known secrecy havens, or • Account number, • Are considered NCCTs. • Dollar value of the transaction, and • Dates the account was affected. Examination Guidance Wire Transfer Activities Examiners should ascertain if a financial institution offers pouch services. If it does provide these services, The established wire transfer systems permit quick examiners must verify that all pouch activity is included in movement of funds throughout the U.S. banking system AML programs and is thoroughly monitored for suspicious and internationally. Wire transfers are commonly used to activity. move funds in various money laundering schemes. Successive wire transfers allow the originator and the Examiners are strongly encouraged to be present during ultimate beneficiary of the funds to: one or more pouch openings during the examination. By reviewing the procedures for opening and documenting • Obtain relative , items in the pouches, along with records maintained of • Obfuscate the money trail, pouch activities, examiners should be able to ascertain or • Easily aggregate funds from a large geographic area, confirm the degree of risk undertaken and the sufficiency of AML program in relation to the institution’s pouch • Move funds out of or into the U.S., and activity. • “Legitimize” illegal proceeds.

Bank Secrecy Act (12-04) 8.1-28 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1

Financial institutions use two wire transfer systems in the Familiarity with the customer and type of business enables U.S., the Fedwire and the Clearing House Interbank the financial institution to more accurately analyze Payments System (CHIPS). A telecommunications transactions and thereby identify unusual wire transfer network, the Society for Worldwide Interbank Financial activity. With appropriate CDD policies and procedures, Telecommunications (SWIFT), is often used to send financial institutions should have some expectation of the messages with international wire transfers. type and volume of activity in accounts, especially if the account belongs to a high-risk entity or the customer uses Fedwire transactions are governed by the Uniform higher-risk products or services. Consideration should be Commercial Code Article 4a and the Federal Reserve given to the following items in arriving at this expectation: Board’s Regulation J. These laws primarily facilitate business conduct for electronic funds transfers; however, • Type and size of business; financial institutions must ensure they are using procedures • Customer’s stated explanation for activity; for identification and reporting of suspicious and unusual • Historical customer activity; and transactions. • Activity of other customers in the same line of business. Wire Transfer Money Laundering Risks Wire Transfer Recordkeeping Requirements Although wire systems are used in many legitimate ways, most money launderers use wire transfers to aggregate BSA recordkeeping rules require the retention of certain funds from different sources and move them through information for funds transfers and the transmittal of funds. accounts at different banks until their origin cannot be Basic recordkeeping requirements are established in 31 traced. Money laundering schemes uncovered by law CFR 103.33 and require the maintenance of the following enforcement agencies show that money launderers records on all wire transfers originated over $3,000: aggregate funds from multiple accounts at the same financial institution, wire those funds to accounts held at • Name and address of the originator, other U.S. financial institutions, consolidate funds from • Amount of the payment order, these larger accounts, and ultimately wire the funds to • Execution date of the payment order, offshore accounts in countries where laws are designed to • Payment instructions received from the originator, facilitate secrecy. In some cases the monies are then sent • Identity of the beneficiary’s financial institution, and back into the U.S. with the appearance of being legitimate • As many of the following items that are received with funds. the transfer order:

Name and address of the beneficiary, It can be challenging for financial institutions to identify o Account number of the beneficiary, and suspicious transactions due to the: o Any other specific identifier of the beneficiary. o

• Large number of wire transactions that occur in any In addition, as either an intermediary bank or a beneficiary given day; bank, the financial institution must retain a complete record • Size of wire transactions; of the payment order. Furthermore, the $3,000 minimum • Speed at which transactions move and settle; and limit for retention of this information does not mean that • Weaknesses in identifying the customers (originators wire transfers under this amount should not be reviewed or and/or beneficiaries) of such transactions at the monitored for unusual activity. sending or receiving banks. Funds Transfer Record Keeping and A money launderer will often try to make wire transfers Travel Rule Regulations appear to be for a legitimate purpose, or may use “shell companies” (corporations that exist only on paper, similar Along with the BSA recordkeeping rules, the Funds to shell banks discussed above in the section entitled Transfer Recordkeeping and Travel Rule Regulations “Foreign Correspondent Banking Relationships”), often became effective in May of 1996. The regulations call for chartered in another country. Money launderers usually standard recordkeeping requirements to ensure all look for legitimate businesses with high cash sales and high institutions are obtaining and maintaining the same turnover to serve as a front company. information on all wire transfers of $3,000 or more. Like the BSA recordkeeping requirements, these additional Mitigation of Wire Transfer Money Laundering Risks recordkeeping requirements were put in place to create a

DSC Risk Management Manual of Examination Policies 8.1-29 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 paper trail for law enforcement to investigate money laundering schemes and other illegal activities. Electronic banking (E-Banking) consists of electronic access (through direct personal computer connection, the Industry best practices dictate that domestic institutions Internet, or other means) to financial institution services, should encourage all foreign countries to attach the identity such as opening deposit accounts, applying for loans, and of the originator to wire information as it travels to the U.S. conducting transactions. E-banking risks are not as and to other countries. Furthermore, the financial significant at financial institutions that have a stand-alone institution sending or receiving the wire cannot ensure “information only” website with no transactional or adequate OFAC verification if they do not have all of the application capabilities. Many financial institutions offer a appropriate originator and beneficiary information on wire variety of E-banking services and it is very common to transfers. obtain a credit card, car loan, or mortgage loan on the Internet without ever meeting face-to-face with a financial Necessary Due Diligence on Wire Transfer Customers institution representative.

To comply with these standards and regulations, a financial The financial institution should have established policies institution needs to know its customers. The ability to and procedures for authenticating new customers obtained trace funds and identify suspicious and unusual through E-banking channels. Customer identification transactions hinges on retaining information and a strong policies and procedures should meet the minimum knowledge of the customer developed through requirements of the USA PATRIOT Act and be sufficient comprehensive CDD procedures. Financial institution to cover the additional risks related to customers opening personnel must know the identity and business of the accounts electronically. New account applications customer on whose behalf wire transfers are sent and submitted over the Internet increase the difficulty of received. Wire room personnel must be trained to identify verifying the application information. Many financial suspicious or unusual wire activities and have a strong institutions choose to require the prospective customer to understanding of the bank’s OFAC monitoring and come into an office or branch to complete the account reporting procedures. opening process, while others will not. If a financial institution completes the entire application process over the Review and monitoring activity should also take place Internet, it should consider using third-party databases or subsequent to sending or receiving wires to further aid in vendors to provide: identification of suspicious transactions. Reviewers should look for: • Positive verification, which ensures that material information provided by an applicant matches • Unusual wire transfer activity patterns; information from third-party sources; • Transfers to and from high-risk countries; or • Negative verification, which ensures that information • Any of the “red flags” relating to wire transfers (refer provided is not linked to previous fraudulent activity; to the “Identification of Suspicious Transactions” and discussion included within this chapter.) • Logical verification, which ensures that the information is logically consistent. Risks Associated with Wire Transfers Sent with “Pay Upon Proper Identification” Instructions In addition to initial verification, a financial institution must also authenticate the customer’s identity each time an Financial institutions should also be particularly cautious attempt is made to access his/her private information or to of wire transfers sent or received with “Pay Upon Proper conduct a transaction over the Internet. The authentication Identification” (PUPID) instructions. PUPID transactions methods involve confirming one or more of these three allow the wire transfer originator to send funds to a factors: financial institution location where an individual or business does not have an account relationship. Since the • Information only the user should know, such as a funds receiver does not have an account at the financial password or personal identification number (PIN); institution, he/she must show prior identification to pick up • An object the user possesses, such as an automatic the funds, hence the term PUPID. These transactions can teller machine (ATM) card, smart card, or token; or be legitimate, but pose a higher than normal money • Something physical of the user, such as a biometric laundering risk. characteristic like a fingerprint or iris pattern.

Electronic Banking

Bank Secrecy Act (12-04) 8.1-30 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Transactions and Minimum Requirements of the Electronic Systems BSA Compliance Program

Additionally, the National Automated Clearing House The BSA compliance program must be in writing and Association (NACHA) has provided standards which approved by the financial institution’s board of directors, mandate the use of security measures for automated with approval noted in the Board minutes. Best practices clearing house (ACH) transactions initiated through the dictate that Board should review and approve the policy Internet or electronically. These guidelines include annually. In addition, financial institutions are required to ensuring secure access to the electronic and Internet develop and implement a Customer Identification Program systems in conjunction with procedures reasonably as part of their overall BSA compliance program. More designed to identify the ACH originator. specific guidance regarding the CIP program requirements

can be found within the “Customer Identification Program” Interagency guidance on authenticating users of technology discussion within this section of the DSC Risk and the identity of customers is further discussed in FDIC Management Manual of Examination Policies (DSC FIL-69-2001, “Authentication in an Electronic Manual). Environment.” This FIL not only identifies the risk of access to systems and information, it also emphasizes the A financial institution’s BSA compliance program must need to verify the identity of electronic and/or Internet meet four minimum requirements, as detailed in Section customers, particularly those who request account opening 326.8 of the FDIC’s Rules and Regulations. The and new services online. procedures necessary to establish an adequate program and

assure reasonable compliance efforts designed to meet

these minimum requirements are discussed in detail below: MONITORING BANK SECRECY ACT COMPLIANCE 1. A system of internal controls. At a minimum, the system must be designed to: Section 8(s) of the Federal Deposit Insurance Act, which implements 12 U.S.C. 1818, requires the FDIC to: a. Identify reportable transactions at a point where all of the information necessary to properly • Develop regulations that require insured financial complete the required reporting forms can be institutions to establish and maintain procedures obtained. The financial institution might reasonably designed to assure and monitor compliance accomplish this by sufficiently training tellers and with the BSA; personnel in other departments or by referring • Review such procedures during examinations; and large currency transactions to a designated • Describe any problem with the procedures maintained individual or department. If all pertinent by the insured depository institution within reports of information cannot be obtained from the examination. customer, the financial institution should consider declining the transaction. To satisfy Section 8(s) requirements, at a minimum, b. Monitor, identify, and report possible money examiners must review BSA at each regular safety and laundering or unusual and suspicious activity. soundness examination. In addition, the FDIC must Procedures should provide that high-risk conduct its own BSA examination at any intervening accounts, services, and transactions are regularly Safety and Soundness examination conducted by a State reviewed for suspicious activity. banking authority if such authority does not review for c. Ensure that all required reports are completed compliance with the BSA. Section 326.8 of the FDIC’s accurately and properly filed within required Rules and Regulations establishes the minimum BSA timeframes. Financial institutions should consider program requirements for all state nonmember banks, centralizing the review and report filing functions which are necessary to assure compliance with the financial within the banking organization. recordkeeping and reporting requirements set forth within d. Ensure that customer exemptions are properly the provisions of the Treasury regulation 31 CFR 103. granted, recorded, and reviewed as appropriate, including biennial renewals of “Phase II” Part 326.8 of the FDIC’s Rules and exemptions. Exempt accounts must be reviewed Regulations at least annually to ensure that the exemptions are still valid and to determine if any suspicious or unusual activity is occurring in the account. The

DSC Risk Management Manual of Examination Policies 8.1-31 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 BSA compliance officer should review and initial activities. Although not required by the regulation, all exemptions prior to granting and renewing this review should be conducted at least annually. them. Financial institutions that do not employ outside e. Ensure that all information sharing requests issued auditors or consultants or that do not operate internal under Section 314(a) of the USA PATRIOT Act audit departments can comply with this requirement by are checked in accordance with FinCEN utilizing employees who are not involved in the guidelines and are fully completed within currency transaction reporting or suspicious activity mandated time constraints. reporting functions to conduct the reviews. The BSA f. Ensure that guidelines are established for the compliance officer, even if he/she does not participate optional providing and sharing of information in in the daily BSA monitoring and reporting of BSA, accordance with 314(b) of the USA PATRIOT can never suffice for an independent review. Act and the written employment verification regulations (as specified in Section 355 of the The scope of the independent testing should be USA PATRIOT Act). sufficient to verify compliance with the financial g. Ensure that the financial institution’s CIP institution’s anti-money laundering program. procedures comply with regulatory requirements. Additionally, all findings from the audit should be h. Ensure that procedures provide for adequate provided within a written report and promptly reported customer due diligence in relation to the risk to the board of directors or appropriate committee levels of customers and account types. Adequate thereof. Testing for compliance should include, at a monitoring for unusual or suspicious activities minimum: cannot be completed without a strong CDD program. The CDD program should assist a. A test of the financial institution’s internal management in predicting the types, dollar procedures for monitoring compliance with the volume, and transaction volume the customer is BSA, including interviews of employees who likely to conduct, thereby providing a means to handle cash transactions and their supervisors. identify unusual or suspicious transactions for that The scope should include all business lines, customer. departments, branches, and a sufficient sampling i. Establish procedures for screening accounts and of locations, including overseas offices. transactions for OFAC compliance that include b. A sampling of large currency transactions, guidelines for responding to identified matches followed by a review of CTR filings. and reporting those to OFAC. c. A test of the validity and reasonableness of the j. Provide for adequate due diligence, monitoring, customer exemptions granted by the financial and reporting of private banking activities and institution. foreign correspondent relationships. The level of d. A test of procedures for identifying suspicious due diligence and monitoring must be transactions and the filing of SARs. Such commensurate with the inherent account risk. procedures should incorporate a review of reports k. Provide for adequate supervision of employees used by management to identify unusual or who accept currency transactions, complete suspicious activities. reports, grant exemptions, open new customer e. A review of documentation on transactions that accounts, or engage in any other activity covered management initially identified as unusual or by the Financial Recordkeeping and Reporting of suspicious, but, after research, determined that Currency and Foreign Transactions regulations at SAR filings were not warranted. 31 CFR 103. f. A test of procedures and information systems to l. Establish dual controls and provide for separation review compliance with the OFAC regulations. of duties. Employees who complete the reporting Such a test should include a review of the forms should not be responsible for filing them or frequency of receipt of OFAC updates and for granting customer exemptions. interviews to determine personnel knowledge of OFAC procedures. 2. Independent testing for compliance with the BSA and g. A test of the adequacy of the CDD program and Treasury’s regulation 31 CFR Part 103. Independent the CIP. Testing procedures should ensure that testing of the BSA compliance program should be established CIP standards are appropriate for the conducted by the internal audit department, outside various account types, business lines, and auditors, or qualified consultants. Testing must departments. New accounts from various areas in include procedures related to high-risk accounts and the financial institution should be sampled to

Bank Secrecy Act (12-04) 8.1-32 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 ensure that CDD and CIP efforts meet policy comprehensive, conducted regularly, and clearly requirements. documented. The scope of the training should include: h. A review of management reporting of BSA- related activities and compliance efforts. Such a • The financial institution’s BSA policies and review should determine that reports provide procedures; necessary information for adequate BSA • Identification of the three stages of money monitoring and that they capture the universe of laundering (placement, layering, and integration); transactions for that reporting area. (For example, • “Red flags” to assist in the identification of money the incoming wire transfer logs should contain all laundering (similar to those provided within the the incoming transfers for the time period being “Identification of Suspicious Transactions” reviewed). discussion within this chapter); i. A test of the financial institution’s recordkeeping • Identification and examples of suspicious system for compliance with the BSA. transactions; j. Documentation of the scope of the testing • The purpose and importance of a strong CDD procedures performed and the findings of the program and CIP requirements; testing. • Internal procedures for CTR and SAR filings; • Procedures for reporting BSA matters, including Independent Testing Workpaper Retention SAR filings to senior management and the board of directors; Retention of workpapers from the independent testing or • Procedures for conveying any new BSA rules, audit of BSA is expected and those workpapers must be regulations, or internal policy changes to all made available to examiners for review upon request. It is appropriate personnel in a timely manner; and essential that the scope and findings from any testing • OFAC policies and procedures. procedures be thoroughly documented. Procedures that are not adequately documented will not be accepted as being in Depending on the financial institution’s needs, training compliance with the independent testing requirement. materials can be purchased from banking associations,

trade groups, and outside vendors, or they can be internally 3. The designation of an individual or individuals developed by the financial institution itself. Copies of the responsible for coordinating and monitoring day-to- training materials must be available in the financial day compliance with BSA. To meet the minimum institution for review by examiners. requirement, each financial institution must designate

a senior official within the organization to be

responsible for overall BSA compliance. Other individuals in each office, department or regional BSA VIOLATIONS AND ENFORCEMENT headquarters should be given the responsibility for day-to-day compliance. The senior official in charge Procedures for Citing Apparent Violations in of BSA compliance should be in a position, and have the Report of Examination the authority, to make and enforce policies. This is not intended to require that the BSA administrator be Apparent Violations of the U.S. Department of the an “executive officer” under the Federal Reserve Treasury’s regulation 31 CFR 103 - Financial Board’s Regulation O. Recordkeeping and Reporting of Currency and Foreign Transactions 4. Training for appropriate personnel. At a minimum, the financial institution’s training program must As stated previously, Treasury’s regulation 31 CFR 103 provide training for all operational personnel whose establishes the minimum recordkeeping and reporting duties may require knowledge of the BSA, including, requirements for currency and foreign transactions by but not limited to, tellers, new accounts personnel, financial institutions. Failure to comply with the lending personnel, bookkeeping personnel, wire room requirements of 31 CFR 103 may result in the examiner personnel, international department personnel, and citing an apparent violation(s). Apparent violations of 31 information technology personnel. In addition, an CFR 103 are generally for specific issues such as: overview of the BSA requirements should be given to new employees and efforts should be made to keep • Failure to adequately identify and report large cash executives and directors informed of changes and new transactions in a timely manner; developments in BSA regulations.Training should be

DSC Risk Management Manual of Examination Policies 8.1-33 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Failure to report Suspicious Activities, such as deposit bank management with a separate list so that they can layering or structuring cash transactions; identify and, if possible, correct the particular violation. A • Failure to reasonably identify and verify customer copy of the list must also be maintained in the BSA identity; and examination workpapers. • Failure to maintain adequate documentation of financial transactions, such as the purchase or sale of Additionally, deficient practices may violate more than one monetary instruments and originating or receiving wire regulation. In such circumstances, the apparent violations transfers. can be grouped together. However, all of the sections of each violated regulation must be cited. Each apparent All apparent violations of the BSA should be reported in violation must be recorded on the BSA Data Entry sheet the Violations of Laws and Regulations pages of the and submitted with the Report of Examination for review Report of Examination. When preparing written and transmittal. comments related to apparent violations cited as a result of deficient BSA compliance practices, the following Apparent Violations of Section 326.8 of the FDIC Rules information should be included in each citation: and Regulations

• Reference to the appropriate section of the regulation; In situations where deficiencies in the BSA compliance • Nature of the apparent violation; program are serious or systemic in nature, or apparent • Date(s) and amount of the transaction(s); violations result from management’s inability or • Name(s) of the parties to the transaction; unwillingness to develop and administer an effective BSA compliance program, examiners should cite an apparent • Description of the transaction; and violation(s) of the appropriate subsection(s) of Section • Management’s response, including planned or taken 326.8, within the Report of Examination. Additionally, corrective action. apparent violations of 31 CFR 103 that are repeated at two

or more examinations, or dissimilar apparent violations In preparing written comments for apparent violations of that are recurring over several examinations, may also the BSA, examiners should focus solely on statements of point towards a seriously deficient compliance program. fact, and take precautions to ensure that subjective When such deficiencies persist within the financial comments are omitted. Such statements would include an institution, it may be appropriate for examiners to consider examiner attributing the infraction to a cause, such as the overall program to be deficient and cite an apparent management oversight or computer error. For all violation of Section 326.8. violations of 31 CFR 103, the Treasury reserves the authority to determine if civil penalties should be pursued. Specifically, an apparent violation of Section 326.8(b)(1) Examiner comments on the supposed causes of apparent should be cited when the weaknesses and deficiencies violations may affect the Treasury’s ability to pursue a identified in the BSA compliance program are significant, case. repeated, or pervasive. Citing a Section 326.8(b)(1)

violation indicates that the program is inadequate or Random, isolated apparent violations do not require substantially ineffective. Furthermore, these deficiencies, lengthy explanations or write-ups in the Report of if uncorrected, significantly impair the institution’s ability Examination. In such cases, the section of the regulation to detect and prevent potential money laundering or violated, and identification of the transaction and/or terrorist financing activities. instance will suffice. Examiners are also encouraged to group violations by type. When there are several An apparent violation of Section 326.8(b)(2) should be exceptions to a particular section of the regulation, for cited when weaknesses and deficiencies cited in the example, late CTR filing, examiners should include a Customer Identification Program mitigate the institution’s minimum of three examples in the Report of Examination ability to reasonably establish, verify and record customer citation. The remainder of the violations under that identity. An apparent violation of 326.8(b)(2) would specific regulation can be listed as a total, without detailing generally be associated with specific weaknesses that all of the information. For example, detail three late CTR would be reflected in apparent violations of 31 CFR filings with customer information, dates, and amounts, but 103.121, which establishes the minimum requirements for list a total in the apparent violation write-up for 55 Customer Identification Programs. instances identified during the examination.

An apparent violation of Section 326.8(c) should be cited If an examiner chooses not to include each example in the for a specific program deficiency to the extent that apparent violation citation, the examiners should provide

Bank Secrecy Act (12-04) 8.1-34 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 deficiency is attributed to internal controls, independent testing, individual responsible for monitoring day-to-day Civil penalties for negligence and willful violations of BSA compliance, or training. If an apparent violation of Section are detailed in 31 CFR 103.57. This section states that 326.8(c) is determined to be an isolated program weakness negligent violations of any regulations under 31 CFR 103 that does not significantly impair the effectiveness of the shall not exceed $500. Willful violations for any reporting overall compliance program, then a Section 326.8(b) requirement for financial institutions under 31 CFR 103 should not be cited. If one or more program violations are can be assessed a civil penalty up to $100,000 and no less cited under Section 326.8(c), or are accompanied by than $25,000. CMPs may also be imposed by the FDIC for notable infractions of Treasury’s regulation 31 CFR 103, violations of final Cease and Desist Orders issued under or management is unwilling or unable to correct the our authority granted in Section 8(s) of the Federal Deposit reported deficiencies, the aggregate citations would likely Insurance Act (FDI Act). In these cases, the penalty is point toward an ineffective program and warrant the established by Section 8(i)(2) of the FDI Act at up to additional citing of a 326.8(b) program violation, in $5,000 per day for each day the violation continues. addition to the other program, and/or financial Recommendations for civil money penalties for violations recordkeeping violations. of Cease and Desist Orders should be handled in accordance with outstanding FDIC Directives. When preparing written comments related to apparent violations cited as a result of deficient BSA compliance Furthermore, Section 363 of the USA PATRIOT Act program, as defined in Section 326.8, the following increases the maximum civil and criminal penalties from information should be included in each citation: $100,000 to up to $1,000,000 for violations of the following sections of the USA PATRIOT Act: • Nature of the violation(s); • Name(s) of the individual(s) responsible for • Section 311: Special measures enacted by the Treasury coordinating and monitoring compliance with the BSA for jurisdictions, financial institutions, or international (BSA officer); transactions or accounts of primary money laundering • Specific internal control deficiencies that contributed concern; to the apparent violation(s); and • Section 312: Special due diligence for correspondent • Management’s response, including planned or taken accounts and private banking accounts; and corrective action. • Section 313: Prohibitions on U.S. correspondent accounts with foreign shell banks. BSA Workpapers Evidencing Apparent Violations Referring Significant Violations of the BSA to FinCEN BSA examination workpapers that support BSA/AML apparent violation citations, enforcement actions, SARs, Financial institutions that are substantially noncompliant and CMP referrals to the Treasury should be maintained with the BSA should be reviewed by the FDIC for for 5 years, since they may be needed to assist further recommendation to FinCEN regarding the issuance of investigation or other supervisory response. Examination CMPs. FinCEN is the administrator of the BSA and has workpapers should not generally be included as part of a the authority to assess CMPs against any domestic SAR, enforcement action recommendation, or Treasury financial institution, including any insured U.S. branch of a referral, but may be requested for additional supporting foreign bank, and any partner, director, officer, or information during a law enforcement investigation. employee of a domestic financial institution for violations of the BSA and implementing regulations. Criminal Civil Money Penalties and prosecution is also authorized, when warranted. However, Referrals to FinCEN referrals to FinCEN do not preclude the FDIC from using its authority to take formal administrative action.

When significant apparent violations of the BSA, or cases Factors to consider for determining when a referral to of willful and deliberate violations of 31 CFR 103 or FinCEN is warranted and the guidelines established for Section 326.8 of the FDIC’s Rules and Regulations are preparing and forwarding referral documentation are identified at a state nonmember financial institution, detailed in examiner guidance. When examiners identify examiners should determine if a recommendation for serious BSA program weaknesses at an institution, CMPs is appropriate. This assessment should be including significant apparent violations, the examiner conducted in accordance with existing examiner guidance should consult with the Regional SACM before proceeding for consideration of CMPs, detailed within the DSC further. Manual.

DSC Risk Management Manual of Examination Policies 8.1-35 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Volunteer reporting by the institution of apparent Generally, a referral should be considered when the types violations discovered on its own during the course of and nature of apparent violations of the BSA result from a internal audits. This does not apply to situations nonexistent or seriously deficient BSA and anti-money where examiners disclose apparent violations and the laundering compliance program; expose the financial institution comes forward voluntarily to head off a institution to a heightened level of risk for potential money possible referral. laundering activity; or demonstrate a willful or flagrant • Positive efforts to assist law enforcement, including disregard for the requirements of the BSA. Normally, the reporting of suspicious transactions and the filing isolated incidences of noncompliance should not be of Suspicious Activity Reports. referred for penalty consideration. Even if the type of violation was cited previously, referral would not be It should be noted that FinCEN does not categorize appropriate if the apparent violations involved are genuine violations as substantive or technical. However, FinCEN misunderstandings of the BSA requirements or inadvertent does recognize the varying nature of violations and the fact violations, the deficiencies are correctable in the normal that not all violations require a referral. course of business and proper corrective action has been taken or committed to by management. Content of a Well-Developed Referral

A referral may be warranted in the absence of previous A well-developed referral is one that contains sufficient violations if the nature of apparent violations identified at detail to permit FinCEN to ascertain: the number, nature the current examination is serious. An example would be and severity of apparent violations cited; the overall level failing to file FinCEN Form 104, Currency Transaction of BSA compliance; the severity of any weaknesses in the Report, on nonexemptible businesses or businesses that, financial institution’s compliance program; and the while exemptible, FinCEN, as a matter of policy will not financial institution’s ability to achieve a satisfactory level authorize the financial institution to exempt. To illustrate, of compliance in the future. the failure to file CTRs on transactions involving an individual or automobile dealer (both nonexemptible) is of A summary memorandum detailing these issues should be greater concern to FinCEN than a failure to file CTRs on a prepared by the field examiner and submitted to the recently opened supermarket which has not yet been added Regional Office for review. At a minimum, each referral to the bank’s exempt list or a golf course where the should include a copy of this memorandum, the Report of financial institution believed that it qualified for a Examination pages that discuss BSA findings, and a civil unilateral exemption as a sports arena. This doesn’t mean monetary penalty assessment. Documents contained in the that the failure to file CTRs on a supermarket should never referral package need to be conclusion-oriented and be referred. Failure to file CTRs on a supermarket that is a descriptive with facts supporting summary conclusions. It front for , that has no customers yet has is not sufficient to say that the financial institution has large receipts, or that has currency transaction activity that written policies and procedures or that management far exceeds its expected revenues would warrant referral. provides training to employees. Referrals are much more useful when they discuss the specific deficiencies identified Mitigating Factors to Consider within the compliance programs, policies and procedures, systems, management involvement, and training. Other considerations in, deciding whether to recommend criminal/civil penalties include the financial institution’s Discussing the Referral Process with past history of compliance, and whether the current system Financial Institution Management of policies, procedures, systems, internal controls, and training are sufficient to ensure a satisfactory level in the Examiners should not advise the financial institution that a future. Senior management’s attitude and commitment civil money penalty referral is being submitted to FinCEN. toward compliance as evidenced by their involvement and If an investigation by law enforcement is warranted, it may devotion of resources to compliance programs should also be compromised by disclosure of this information. It is be considered. Any mitigating factors should be given full permissible to tell management that FinCEN will be consideration. Mitigating factors would include: notified of all apparent violations of the BSA cited. However, examiners are not to provide any oral or written • The implementation of a comprehensive compliance communication to the financial institution passing program that ensures a high level of compliance judgment on the willfulness of apparent violations. including a system for aggregating currency transactions. Criminal Penalties

Bank Secrecy Act (12-04) 8.1-36 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 decision should be maintained at the Regional Office and a Treasury regulation 31 CFR 103.59 notifies institutions copy of that documentation submitted to the Special that they can be subject to criminal penalties if convicted Activities Section in Washington, D.C. for willful violations of the BSA of not more than $1,000 and/or one year in prison. If such a BSA violation is Memoranda of Understanding (MOU) and committed to further any other Federal law punishable by Board Resolutions (BBR) more than a year in prison (such as fraud, money laundering, theft, illegal narcotics sales, etc.) then harsher In certain cases, the Regional Office may determine that a penalties can be imposed. In these cases, the perpetrator, BBR or a MOU is an appropriate action to deal with an upon conviction, can be fined not more than $10,000 institution’s BSA weaknesses. BBRs should only be used and/or be imprisoned not more than 5 years. in circumstances where recommendations are minor and do not affect the overall adequacy of the institution’s BSA In addition, criminal penalties may also be charged against compliance program. Unlike a BBR, a MOU is a bi-lateral any person who knowingly makes any false, fictitious, or agreement between the financial institution and the FDIC. fraudulent statement or representation in any BSA report. When the Regional Office deems that a MOU is Upon conviction of such an act, the perpetrator may be appropriate, the examiners, reviewer, the Regional SACM, fined not more than $10,000 and/or imprisoned for 5 years. and the Regional legal department may work together to formulate the provisions of the action and obtain Certain violations of the BSA allow for the U.S. appropriate approvals as soon as possible after the Government to seize the funds related to the crime. The examination. USA PATRIOT Act amended the BSA to provide for funds forfeiture in cases dealing with foreign crimes, U.S. Cease and Desist Orders interbank accounts, and in connection with some currency transaction reporting violations. Furthermore, the U.S. Section 8(s) of the FDI Act grants the FDIC the power to Government can seize currency or other monetary issue Cease and Desist Orders solely for the purpose of instruments physically transported into or out of the U.S. correcting BSA issues at state nonmember banks. In when required BSA reports go unfiled or contain material situations where BSA/AML program weaknesses expose omissions or misstatements. the institution to an elevated level of risk to potential money laundering activity, are repeatedly cited at Supervisory Actions consecutive examinations, or demonstrate willful noncompliance or negligence by management, a Section The FDIC has the authority to address less than adequate 8(b) Order to Cease and Desist should be considered by the compliance with the BSA through various formal or Regional Office. Cases referred to FinCEN for civil informal administrative actions. If a specific violation of money penalties should also be reviewed for formal Section 326.8 or 31 CFR 103 is not corrected or the same supervisory action. provision of a regulation is cited from one examination to the next, Section 8(s) of the FDI Act requires the FDIC to When a Cease and Desist Order is deemed to be consider formal enforcement action as described in Section appropriate, the examiners, reviewer, the Regional SACM, 8(b) or 8(c) of the FDI Act. However, the FDIC has and the Regional legal department should work together to determined that informal enforcement action, such as a formulate the provisions of the action and obtain Board Resolution or a Memorandum of Understanding appropriate approvals as soon as possible after the may be a more appropriate supervisory response, given examination. Specific details are contained in the Formal related circumstances and events, which may serve as and Informal Actions Procedures (FIAP) Manual. mitigating factors. Removal/Prohibition Orders Violations of a technical and limited nature would not necessarily reflect an inadequate BSA program; as such, it If deficiencies or apparent violations of Section 326.8 or is important to look at the type and number of violations 31 CFR 103 involve negligent or egregious action or before determining the appropriate administrative action. inaction by institution-affiliated parties (IAPs), other If the Regional Office reviews a case with significant formal actions may be appropriate. In such situations violations, it should determine whether an enforcement where the IAP exposes the institution to an elevated risk of, action is necessary. Under such circumstances, if the or has facilitated or participated in actual transactions Regional Office determines that a Cease and Desist action involving money laundering activity, utilization of Section is not appropriate, then documentation supporting that

DSC Risk Management Manual of Examination Policies 8.1-37 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 8(e) of the FDI Act, a removal/prohibition action, should causes or attempts to cause a financial institution to fail to be considered. file a CTR, or causes the financial institution to file a CTR that contains a material omission or misstatement of fact, is In cases where apparent violations of Section 326.8 and/or subject to the criminal and civil violations of the BSA 31 CFR Section 103 have been committed by an IAP(s) regulations. Financial institutions are required by the BSA and appear to involve criminal intent, examiners should to have monitoring procedures in place to identify contact the Regional SACM or other designees about filing structured transactions. a SAR on the IAP(s). If the involvement of the IAP(s) in the criminal activity warrants, the Regional Office should Knowledge of the three stages of money laundering also consider contacting the Federal Bureau of (discussed below) has multiple benefits for financial Investigation (FBI) or other Federal law enforcement institutions. These benefits include, but are not limited to, agency via phone or letter to provide them a referral of the the following: SAR and indicate the FDIC’s interest in pursuit of the case. • Identification and reporting of illicit activities to FinCEN, IDENTIFICATION OF SUSPICIOUS • Prevention against losses stemming from fraud, TRANSACTIONS • Prevention against citation of apparent violations of BSA and SAR regulations, and Effective BSA/AML compliance programs include • Prevention against assessment of CMPs by FinCEN controls and measures to identify and report suspicious and/or the FDIC. transactions in a timely manner. An institution should have in place a CDD program sufficient to be able to make an The following discussions and “red flag” lists, while not informed decision about the suspicious nature of a all-inclusive, identify various types of suspicious particular transaction. This section highlights unusual or activity/transactions. These lists are intended to serve as a suspicious activities and transactions that may indicate reference tool and should not be used to make immediate potential money laundering through structured transactions, and definitive conclusions that a particular activity or terrorist financing, and other schemes designed for illicit series of transactions is illegal. They should be viewed as purposes. Often, individuals involved in suspicious potentially suspicious warranting further review. The activity will use a combination of several types of unusual activity/transactions may not be suspicious if they are transactions in an attempt to confuse or mislead anyone consistent with a customer’s legitimate business. attempting to identify the true nature of their activities. The Three Stages of Money Laundering Structuring is the most common suspicious activity reported to FinCEN. Structuring is defined as breaking There are three stages in typical money laundering down a sum of currency that exceeds the $10,000 CTR schemes: reporting level per the regulation, into a series of transactions at or less than $10,000. The transactions do 1. Placement, not need to occur on any single day in order to constitute 2. Layering, and structuring. Money launderers have developed many ways 3. Integration. to structure large amounts of cash to evade the CTR reporting requirements. Examiners should be alert to Placement multiple cash transactions that exceed $10,000, but may involve other monetary instruments, bank official checks, Placement, the first stage of money laundering, involves travelers’ checks, savings bonds, loans and loan payments, the placement of bulk cash into the financial system or even securities transactions as the offsetting entry. The without the appearance of being connected to a criminal transactions could also involve the exchange of small bank activity. There are many ways cash can be placed into the notes for large ones, but in amounts less than $10,000. system. The simplest way is to deposit cash into a Structuring of cash transactions to evade CTR filing financial institution; however, this is also one of the riskier requirements is often the easiest of suspicious activities to ways to get caught laundering money. To avoid notice, identify. It is subject to criminal and civil violations of the banking transactions involving cash are likely to be BSA regulations as implemented within 31 CFR 130.63. conducted in amounts under the CTR reporting thresholds; This regulation states that any person who structures or this activity is referred to as “structuring.” assists in structuring a currency transaction at a financial institution for the purpose of evading CTR reporting, or

Bank Secrecy Act (12-04) 8.1-38 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Furthermore, the use of false identities to conduct these • Obtaining (CD) secured loans transactions is common; banking officers should be vigilant and depositing the loan disbursement check into an in looking for false identification documents. In an attempt account (when the loan is defaulted on, there is no loss to conceal their activities, money launderers will often to the bank); and resort to “smurfing” activities to get illicit funds into a • Depositing a refund check from a canceled vacation financial institution. “Smurfing” is the process of using package or insurance policy. several individuals to deposit illicit cash proceeds into many accounts at one or several financial institutions in a Layering transactions may become very complex and single day. involve several of these methods to hide the trail of funds.

Furthermore, cash can be exchanged for traveler’s checks, Integration food stamps, or other monetary instruments, which can then also be deposited into financial institutions. The third stage of money laundering is integration, which Placement can also be done by purchasing goods or typically follows the layering stage. However, as services, such as a travel/vacation package, insurance mentioned in the discussion of the placement stage, policies, jewelry, or other “high-ticket” items. These integration can be accomplished simultaneously with the goods and services can then be returned to the place of placement of funds. After the funds have been placed into purchase in exchange for a refund check, which can then the financial system and insulated through the layering be deposited at a financial institution with less likelihood process, the integration phase is used to create the of detection as being suspicious. Smuggling cash out of a appearance of legality through additional transactions such country and depositing that cash into a foreign financial as loans, or real estate deals. These transactions provide institution is also a form of placement. Illegally-obtained the criminal with a plausible explanation as to where the funds can also be funneled into a legitimate business as funds came from to purchase assets and shield the criminal cash receipts and deposited without detection. This type of from any type of recorded connection to the funds. activity actually combines placement with the other two stages of money laundering, layering and integration, During the integration stage, the funds are returned in a discussed below. usable format to the criminal source. This process can be achieved through various schemes, such as: Layering • Inflating business receipts, The second stage of money laundering is typically layering. • Overvaluing and undervaluing invoices, This stage is the process of moving and manipulating funds • Creating false invoices and shipping documents, to confuse their sources as well as complicating or partially • Establishing foreign trust accounts, eliminating the paper trail. Layering may involve moving • Establishing a front company or phony charitable funds in various forms through multiple accounts at organization, and numerous financial institutions, both domestic and • Using gold bullion schemes. international, in a complex series of transactions. Examples of layering transactions include: These schemes are just a few examples of the integration stage; the possibilities are not limited. • Transferring funds by check or monetary instrument; • Exchanging cashier’s checks and other monetary Money Laundering Red Flags instruments for other cashier’s checks, larger or

smaller, possibly adding additional cash or other Some activities and transactions that are presented to a monetary instruments in the process; financial institution should raise the level of concern • Performing intrabank transfers between accounts regarding the possibility of potential money laundering owned or controlled by common individuals (for activity. Evidence of these “red flags” in an institution’s example, telephone transfers); accounts and transactions should prompt the institution, • Performing wire transfers to accounts under various and examiners reviewing such activity, to consider the customer and business names at other financial possibility of illicit activities. While these red flags are not institutions; evidence of illegal activity, these common indicators • Transferring funds outside and possibly back into the should be part of an expanded review of suspicious U.S. by various means such as wire transfers, activities. particularly through “secrecy haven” countries; General

DSC Risk Management Manual of Examination Policies 8.1-39 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Transactions should be consistent with the customer’s • Refusal or reluctance to proceed with a known business or income level. transaction, or abruptly withdrawing a transaction. A customer may be reluctant to proceed, • Transactions by non-account holders. A non- or may even withdraw all or a portion of a transaction account holder conducts or attempts to conduct after being informed that a CTR will be filed, or that transactions such as currency exchanges, the purchase the purchase of a monetary instrument will be or redemption of monetary instruments, with no recorded. This action would be taken to avoid BSA apparent legitimate reason. reporting and recordkeeping requirements. Cash Management: Branch and Vault Shipments • Customer refusal or reluctance to provide information or identification. A customer may be • Change in currency shipment patterns. Significant reluctant, or even refuse to provide identifying changes in currency shipment patterns between vaults, information when opening an account, cashing a branches and/or correspondent banks as noted on cash check, recording the purchase of a monetary shipment records may indicate a potential money instrument, or providing information necessary to file laundering scheme occurring in a particular location. a CTR. • Large increase in the cash supply. A large, • Structured or recurring, non-reportable sustained increase in the cash balance would normally transactions. An individual or group may attempt to cause some increase in the number of CTRs filed. avoid BSA reporting and recordkeeping requirements Another example of a red flag in this area would be a by breaking up, or structuring a currency transaction rapid increase in the size and frequency of cash or purchase of monetary instruments in amounts less deposits with no corresponding increase in non-cash than the reporting/recordkeeping thresholds. deposits. Transactions may also be conducted with multiple banks, branches, customer service representatives, • Currency shipments to or from remote locations. accounts, and/or on different days in an attempt to Unusually large transactions between a small, remote avoid reporting requirements. bank and a large metropolitan bank may also indicate potential money laundering. • Multiple third parties conducting separate, but related, non-reportable transactions. Two or more • Significant exchanges of small denomination bills individuals may go to different tellers or branches and for large denomination bills. Significant increases each conduct transactions just under the resulting from the exchange of small denominations reporting/recordkeeping threshold. (This activity is for large denominations may be reflected in the cash often referred to as “smurfing.”) shipment records.

• Even dollar amount transactions. Numerous • Significant requirement for large bills. Branches transactions are conducted in even dollar amounts. whose large bill requirements are significantly greater than the average may be conducting large currency • Transactions structured to lose the paper trail. exchanges. Branches that suddenly stop shipping The bank may be asked to process internal debits or large bills may be using them for currency exchanges. containing little or no description of the transaction in an attempt to “separate” a transaction • International cash shipments funded by multiple from its account. monetary instruments. This involves the receipt of funds in the form of multiple official bank checks, • Significant increases in the number or amount of cashier’s checks, traveler’s checks, or personal checks transactions. A large increase in the number or that are drawn on or issued by U.S. financial amount of transactions involving currency, the institutions. They may be made payable to the same purchase of monetary instruments, wire transfers, etc., individual or business, or related individuals or may indicate potential money laundering. businesses, and may be in U.S. dollar amounts that are below the BSA reporting/recordkeeping threshold. • Transactions which are not consistent with the Funds are then shipped or wired to a financial customer’s business, occupation, or income level. institution outside the U.S.

Bank Secrecy Act (12-04) 8.1-40 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Other unusual domestic or international apparent legitimate reason for opening an account with shipments. A customer requests an outgoing the bank. shipment or is the beneficiary of a shipment of currency, and the instructions received appear • Customers with multiple accounts. A customer inconsistent with normal cash shipment practices. For maintains multiple accounts at a bank or at different example, the customer directs the bank to ship the banks for no apparent legitimate reason. The accounts funds to a foreign country and advises the bank to may be in the same names or in different names with expect same day return of funds from sources different different signature authorities. Routine inter-account than the beneficiary named, thereby changing the transfers provide a strong indication of accounts under source of the funds. common control.

• Frequent cash shipments with no apparent • Frequent deposits or withdrawals with no apparent business reason. Frequent use of cash shipments that business source. The customer frequently deposits or is not justified by the nature of the customer’s business withdraws large amounts of currency with no apparent may be indicative of money laundering. business source, or the business is of a type not known to generate substantial amounts of currency. Currency Exchanges and Other Currency Transactions • Multiple accounts with numerous deposits under • Unusual exchange of denominations. An individual $10,000. An individual or group opens a number of or group seeks the exchange of small denomination accounts under one or more names, and makes bills (five, ten and twenty dollar bills) for large numerous cash deposits just under $10,000, or denomination bills (hundred dollar bills), without any deposits containing bank checks or traveler’s checks, apparent legitimate business reason. or a combination of all of these.

• Check cashing companies. Large increases in the • Numerous deposits under $10,000 in a short period number and/or amount of cash transactions for check of time. A customer makes numerous deposits under cashing companies. $10,000 in an account in short periods of time, thereby avoiding the requirement to file a CTR. This includes • Unusual exchange by a check cashing service. No deposits made at an ATM. exchange or cash back for checks deposited by an individual who owns a check cashing service can • Accounts with a high volume of activity and low indicate another source of cash. balances. Accounts with a high volume of activity, which carry low balances, or are frequently • Suspicious movement of funds. Suspicious overdrawn, may be indicative of money laundering or movement of funds out of one financial institution, check kiting. into another financial institution, and back into the first financial institution can be indicative of the • Large deposits and balances. A customer makes layering stage of money laundering. large deposits and maintains large balances with little or no apparent justification. Deposit Accounts • Deposits and immediate requests for wire transfers • Minimal, vague or fictitious information provided. or cash shipments. A customer makes numerous An individual provides minimal, vague, or fictitious deposits in an account and almost immediately information that the financial institution cannot readily requests wire transfers or a cash shipment from that verify. account to another account, possibly in another country. These transactions are not consistent with the • Lack of references or identification. An individual customer’s legitimate business needs. Normally, only attempts to open an account without references or a nominal amount remains in the original account. identification, gives sketchy information, or refuses to provide the information needed by the financial • Numerous deposits of small incoming wires or institution. monetary instruments, followed by a large outgoing wire. Numerous small incoming wires • Non-local address. The individual does not have a and/or multiple monetary instruments are deposited local residential or business address and there is no

DSC Risk Management Manual of Examination Policies 8.1-41 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 into an account. The customer then requests a large • Client, trust and escrow accounts. Substantial cash outgoing wire to another institution or country. deposits by a professional customer into client accounts, or in-house company accounts, such as trust • Accounts used as a temporary repository for funds. and escrow accounts. The customer appears to use an account as a temporary repository for funds that ultimately will be • Large amount of food stamps. Unusually large transferred out of the financial institution, sometimes deposits of food stamps, which may not be consistent to foreign-based accounts. There is little account with the customer’s legitimate business. activity. Lending • Funds deposited into several accounts, transferred to another account, and then transferred outside of • Certificates of deposits used as collateral. An the U.S. This involves the deposit of funds into individual buys certificates of deposit and uses them as several accounts, which are then combined into one loan collateral. Illegal funds can be involved in either account, and ultimately transferred outside the U.S. the certificate of deposit purchase or utilization of loan This activity is usually not consistent with the known proceeds. legitimate business of the customer. • Sudden/unexpected payment on loans. A customer • Disbursement of certificates of deposit by multiple may suddenly pay down or pay off a large loan, with bank checks. A customer may request disbursement no evidence of refinancing or other explanation. of the proceeds of a certificate of deposit or other investments in multiple bank checks, each at or under • Reluctance to provide the purpose of the loan or $10,000. The customer can then negotiate these the stated purpose is ambiguous. A customer checks elsewhere for currency. The customer avoids seeking a loan with no stated purpose may be trying to the CTR requirements and severs the paper trail. conceal the true nature of the loan. The BSA requires the bank to document the purpose of all loans over • Early redemption of certificates of deposits. A $10,000, with the exception of those secured by real customer may request early redemption of certificates property. of deposit or other investments within a relatively short period of time from the purchase date of the • Inconsistent or inappropriate use of loan proceeds. certificate of deposit or investment. The customer There may be cases of inappropriate disbursement of may be willing to lose interest and incur penalties as a loan proceeds, or disbursements for purposes other result of the early redemption. than the stated loan purpose.

• Sudden, unexplained increase in account activity or • Overnight loans. A customer may use “overnight” balance. There may be a sudden, unexplained loans to create high balances in accounts. increase in account activity, both from cash and from non-cash items. An account may be opened with a • Loan payments by third parties. Loans that are paid nominal balance that subsequently increases rapidly by a third party could indicate that the assets securing and significantly. the loan are really those of a third party, who may be attempting to conceal ownership of illegally, gained • Limited use of services. Frequent large cash deposits funds. are made by a corporate customer, who maintains high balances but does not use the financial institution’s • Loan proceeds used to purchase property in the other services. name of a third party, or collateral pledged by a third party. A customer may use loan proceeds to • Inconsistent deposit and withdrawal activity. purchase, or may pledge as collateral, real property in businesses may deposit numerous checks, but the name of a trustee, shell corporation, etc. there will rarely be withdrawals for daily operations. • Permanent mortgage financing with an unusually • Strapped currency. Frequent deposits of large short maturity, particularly in the case of large amounts of currency, wrapped in currency straps that mortgages. have been stamped by other financial institutions.

Bank Secrecy Act (12-04) 8.1-42 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Structured down payments or escrow money transactions. An attempt to “structure” a down • Incomplete or fictitious information. The customer payment or escrow money transaction may be made in may conduct transactions involving monetary order to conceal the true source of the funds used. instruments that are incomplete or contain fictitious payees, remitters, etc. • Attempt to sever the paper trail. Attempts may be made by the customer or bank to sever any paper trail • Large cash amounts. The customer may purchase connecting a loan to the collateral. cashier’s checks, money orders, etc., with large amounts of cash. • Wire transfer of loan proceeds. A customer may request that loan proceeds be wire transferred for no Safe Deposit Boxes apparent legitimate reason. • Frequent visits. The customer may visit a safe • Disbursement of loan proceeds by multiple bank deposit box on an unusually frequent basis. checks. A customer may request disbursement of loan proceeds in multiple bank checks, each under $10,000. • Out-of-area customers. Safe deposit boxes may be The customer can then negotiate these checks opened by individuals who do not reside or work in elsewhere for currency. The customer avoids the the banks service area. currency transaction reporting requirements and severs the paper trail. • Change in safe deposit box traffic pattern. There may be traffic pattern changes in the safe deposit box • Loans to companies outside the U.S. Unusual loans area. For example, more people may enter or enter to offshore customers, and loans to companies more frequently, or people carry bags or other incorporated in “secrecy havens” are higher risk containers that could conceal large amounts of cash. activities. • Large amounts of cash maintained in a safe deposit • Financial statement. Financial statement box. A customer may access the safe deposit box after composition of a business differs greatly from those of completing a transaction involving a large withdrawal similar businesses. of cash, or may access the safe deposit box prior to making cash deposits which are just under $10,000. Monetary Instruments • Multiple safe deposit boxes. A customer may rent • Structured purchases of monetary instruments. An multiple safe deposit boxes if storing large amounts of individual or group purchases monetary instruments currency. with currency in amounts below the $3,000 BSA recordkeeping threshold. Wire Transfers

• Replacement of monetary instruments. An • Wire transfers to countries widely considered individual uses one or more monetary instruments to “secrecy havens.” Transfers of funds to well known purchase another monetary instrument(s). “secrecy havens.”

• Frequent purchase of monetary instruments • Incoming/outgoing wire transfers with instructions without apparent legitimate reason. A customer to the receiving institution to pay upon proper may repeatedly buy a number of official bank checks identification. The instructions to the receiving bank or traveler’s checks with no apparent legitimate are to “pay upon proper identification.” If paid for in reason. cash, the amount may be just under $10,000 so no CTR is required. The purchase may be made with • Deposit or use of multiple monetary instruments. numerous official checks or other monetary The deposit or use of numerous official bank checks or instruments. The amount of the transfer may be large, other monetary instruments, all purchased on the same or the funds may be sent to a foreign country. date at different banks or different issuers of the instruments may indicate money laundering. These • Outgoing wire transfers requested by non-account instruments may or may not be payable to the same holders. If paid in cash, the amount may be just under individual or business. $10,000 to avoid the CTR filing requirement.

DSC Risk Management Manual of Examination Policies 8.1-43 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 Alternatively, the transfer may be paid with several individuals or businesses, in U.S. dollar amounts that official checks or other monetary instruments. The are below the BSA reporting threshold. The funds are funds may be directed to a foreign country. then wired to a financial institution outside the U.S.

• Frequent wire transfers with no apparent business • Other unusual domestic or international funds reason. A customer’s frequent wire transfer activity is transfers. The customer requests an outgoing wire or not justified by the nature of their business. is the beneficiary of an incoming wire, and the instructions appear inconsistent with normal wire • High volume of wire transfers with low account transfer practices. For example, the customer directs balances. The customer requests a high volume of the bank to wire the funds to a foreign country and incoming and outgoing wire transfers but maintains advises the bank to expect same day return of funds low or overdrawn account balances. from sources different than the beneficiary named, thereby changing the source of the funds. • Incoming and outgoing wires in similar dollar amounts. There is a pattern of wire transfers of • No change in form of currency. Funds or proceeds similar amounts both into and out of the customer’s of a cash deposit may be wired to another country account, or related customer accounts, on the same day without changing the form of currency. or next day. The customer may receive many small incoming wires, and then order a large outgoing wire Other Activities Involving Customers and Bank Employees transfer to another city or country. • Questions or discussions on how to avoid • Large wires by customers operating a cash reporting/recordkeeping. This involves discussions business. Could involve wire transfers by customers by individuals about ways to bypass the filing of a operating a mainly cash business. The customers may CTR or recording the purchase of a monetary be depositing large amounts of currency. instrument.

• Cash or bearer instruments used to fund wire • Customer attempt to influence a bank employee transfers. Use of cash or bearer instruments to fund not to file a report. This would involve any attempt wire transfers may indicate money laundering. by an individual or group to threaten, bribe, or otherwise corruptly influence a bank employee to • Unusual transaction by correspondent financial bypass the filing of a CTR, the recording of purchases institutions. Suspicious transactions may include: (1) of monetary instruments, or the filing of a SAR. wire transfer volumes that are extremely large in proportion to the asset size of the bank; (2) when the • Lavish lifestyles of customers or bank employees. bank’s business strategy and financial statements are Lavish lifestyles of customers or employees, which are inconsistent with a large volume of wire transfers, not supported by their current salary, may indicate particularly outside the U.S.; or (3) a large volume of possible involvement in money laundering activities. wire transfers of similar amounts in and out on the same or next day. • Short-term or no vacations. A bank employee may be reluctant to take any vacation time or may only take • International funds transfer(s) which are not short vacations (one or two days). consistent with the customer’s business. International transfers, to or from the accounts of • Circumvention of internal control procedures. domestic customers, in amounts or with a frequency Overrides of internal controls, recurring exceptions, that is inconsistent with the nature of the customer’s and out-of-balance conditions may indicate money known legitimate business activities could indicate laundering activities. For example, bank employees money laundering. may circumvent wire transfer authorizations and approval policies, or could split wire transfers to avoid • International transfers funded by multiple ceiling limitations. monetary instruments. This involves the receipt of funds in the form of multiple official bank checks, • Incorrect or incomplete CTRs. Employees may traveler’s checks, or personal checks that are drawn on frequently submit incorrect or incomplete CTRs. or issued by U.S. financial institutions and made payable to the same individual or business, or related Terrorist Financing Red Flags

Bank Secrecy Act (12-04) 8.1-44 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 activities, or violations of the BSA. However, if a financial Methods used by terrorists to generate funds can be both institution insider is involved in the suspicious legal and illegal. In the U.S., it is irrelevant whether transaction(s), a SAR must be filed at any transaction terrorist funding is obtained legally or illegally; any funds amount. Other suspected criminal activity requires filing a provided to support terrorist activity are considered to be SAR if the transactions aggregate $5,000 or more and a laundered money. Funding from both legal and illegal suspect can be identified. If the financial institution is sources must be laundered by the terrorist in order to unable to identify a suspect, but believes it was an actual or obscure links between the terrorist group (or cell) and its potential victim of a criminal violation, then a SAR must funding sources and uses. Terrorists and their support be filed for transactions aggregating $25,000 or more. organizations typically use the same methods that criminal Although these are the required transaction levels for filing groups use to launder funds. In particular, terrorists appear a SAR, a financial institution may voluntarily file a SAR to favor: for suspicious transactions below these thresholds. SAR filings are not used for reporting robberies to local law • Cash smuggling, both by couriers or in bulk cash enforcement, or for lost, counterfeit, or stolen securities shipments; that are reported pursuant to 17 CFR 240.17f-1. • Structured deposits and/or withdrawals; • Purchases of monetary instruments; If the suspicious transaction involves currency and exceeds • Use of credit and/or debit cards; and $10,000, the financial institution will also need to file a • Use of underground banking systems. CTR in addition to a SAR.

For suspected money laundering and violations of the While it is not the primary function of an examiner to BSA, a financial institution must file a SAR, if it knows, identify terrorist financing while examining an institution suspects, or has reason to suspect that: for BSA compliance, examiners and financial institution management should be cognizant of suspicious activities or unusual transactions that are common indicators of terrorist • The transaction involves funds derived from illegal financing. Institutions are encouraged to incorporate activities or is intended or conducted in order to procedures into their BSA/AML compliance programs that conceal funds or assets derived from illegal activities address notifying the proper Federal agencies when serious (including without limitation, the ownership, nature, concerns of terrorist financing activities are encountered. source, location, or control of such funds or assets), as At a minimum, these procedures should require the part of a plan to violate or evade any Federal law or institution to contact FinCEN’s Financial Institutions regulation or to avoid any transaction reporting Hotline to report such activities. requirement under Federal law; • The transaction is designed to evade any regulation promulgated under the BSA; or SUSPICIOUS ACTIVITY REPORTING • The transaction has no business or apparent lawful purpose or is not the sort of transaction in which the

particular customer would normally be expected to Part 353 of the FDIC’s Rules and Regulations requires engage, and the financial institution knows of no insured state nonmember banks to report known or reasonable explanation for the transaction after suspected criminal offenses to the Treasury. The SAR examining the available facts, including the form to be used by financial institutions is Form TD F 90- background and possible purpose of the transaction. 22.47 and is available on the FinCEN website. FinCEN is the repository for these reports, but content is owned by the Federal Banking Agencies. The SAR form is used to Preparation of the SAR Form report many types of suspected criminal violations. Details of the criminal violations can be found in the Criminal The SAR form requires the financial institution to complete Violations section of this manual. detailed information about the suspect(s) of the transaction, the type of suspicious activity, the dollar amount involved, Suspicious Activities and Transactions along with any loss to the financial institution, and information about the reporting financial institution. Part Requiring SAR Filings V of the SAR form requests a narrative description of the suspect violation and transactions and is used to document Among the suspicious activities required to be reported are what supporting information and records the financial any transactions aggregating $5,000 or more that involve institution retains. This section is considered very critical potential money laundering, suspected terrorist financing in terms of explaining the apparent criminal activity to law

DSC Risk Management Manual of Examination Policies 8.1-45 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 enforcement and regulatory agencies. The information Similarly, for the date range of suspicious activity, the provided in this section should be complete, accurate, and financial institution should maintain the original “start” well-organized. This section should contain additional date and extend the “to” date to include the 90 day period information on suspects, describe instruments and methods in which the suspicious and reportable activity continued. of facilitating the transaction, and provide any follow-up action taken by the financial institution. Data inserts in the Failure to File SARs form of tables or graphics are discouraged as they are not compatible with the SAR database at FinCEN. Also, If an examiner determines that a financial institution has attachments to a SAR form will not be stored in the failed to file a SAR when there is evidence to indicate a database because they do not conform to the database report should have been filed, the examiner should instruct format. Consequently, a narrative in Part V that states only the financial institution to immediately file the SAR. If the “see attached” will result in no meaningful description of financial institution refuses, the examiner should complete the transaction, rendering the record in this field the SAR and cite violations of Part 353 of the FDIC’s insufficient. Rules and Regulations, providing limited details of suspicious activity or the SAR in the Report of The financial institution is also encouraged to detail a Examination. In instances involving a senior officer or listing of documentation available that supports the SAR director of the financial institution, examiners may prepare filing in Part V of the SAR form. This notice will provide the SAR, rather than request the financial institution to do law enforcement the awareness necessary to ensure timely so in order to ensure that the SAR explains the suspicious access to vital information, if further investigation results activity accurately and completely. Each Regional Office from the SAR filing. All documentation supporting the is responsible for monitoring SARs filed within that region. SAR must be stored by the financial institution for five Examiner-prepared SARs should be forwarded to their years and is considered property of the U.S. Government. Regional Special Activities Case Manager to ensure timely and proper filing. Any examiner-prepared SARs and all FinCEN has provided ongoing guidance on how to prepare supporting documents should be maintained in the field SAR forms in its publication, “SAR Activity Reviews,” office files for five years. under a section on helpful hints, tips, and suggestions on SAR filing. These publications are available at the SAR Filing Methods FinCEN website. Financial institution management should be encouraged to review current and past issues as an aid SARs can be filed in paper form, by magnetic tape, or in properly completing SARs. through the Patriot Act Communications System. Financial institutions may contact law enforcement and their Federal SAR Filing Deadlines Banking Agency to notify them of the suspicious activity, and these contacts should be noted on the SAR form. By regulation, SAR forms are required to be filed no later than 30 calendar days after the date of initial detection of Notification to Board of Directors of facts that may constitute a basis for filing a SAR. If no suspect was identified on the date of detection of the SAR Filings incident requiring the filing, a financial institution may delay filing a SAR for an additional 30 calendar days in Section 353.3 of the FDIC’s Rules and Regulations order to identify a suspect. In no case shall reporting be requires the financial institution’s board of directors, or delayed more than 60 days after the date of initial detection designated committee, be promptly notified of any SAR of a reportable transaction. filed. However, if the subject of the SAR is a senior officer or member of the board of directors of the financial Customers Engaging in Ongoing Suspicious Activity institution, notification to the board of directors should be handled differently in order to avoid violating Federal laws If a customer’s suspicious activity continues to occur, that prohibit notifying a suspect or person involved in the FinCEN recommends the financial institution file an update suspicious transaction that forms the basis of the SAR. In on the activity and amounts every 90 days using the SAR these situations, it is recommended that appropriate senior form. In such instances, the financial institution should personnel not involved in the suspicious activity be advised aggregate the dollar amount of previously reported activity of the SAR filing and this process be documented. and the dollar amount of the newer activity and put this amount in the box on the SAR requesting “total dollar In cases of financial institutions that file a large volume of amount involved in known or suspicious activity.” SARs, it is not necessary that the board of directors, or

Bank Secrecy Act (12-04) 8.1-46 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 designated committee thereof, review each and every SAR institutions who participate in preparing and reporting of document. It is acceptable for the BSA officer to prepare SARs under safe harbor protections. Section 355 of the an internal tracking report that briefly discusses all of the USA PATRIOT Act, implemented at Section 18(w) of the SARs filed for a particular month. As long as this tracking FDI Act, established a means by which financial report is meaningful in content, then the institution will still institutions can share factual information of suspected be meeting the requirements of Part 353 of the FDIC’s involvement in criminal activity with each other in Rules and Regulations. Such a report would identify the connection with references for employment. To comply, following information for each SAR filed: employment references must be written and the disclosure made without malicious intent. The financial institution • Customer’s name and any additional suspects; still may not disclose that a SAR was filed. The sharing of • Social Security Number or TIN; employment information is voluntary and should be done • Account number (if a customer); under adequate procedures, which may include review by • The date range of suspicious activity; the institution’s legal counsel to assess potential for claims • The dollar amount of suspicious activity; of malicious intent. • Very brief synopsis of reported activity (for example, “cash deposit structuring” or “wire transfer activity Examination Guidance inconsistent with business/occupation”); and • Indication of whether it is a first-time filing or repeat Examiners should ensure that the financial institution has filing on the customer/suspects. procedures in place to identify and report suspicious activity for all of the financial institution’s departments and Such a tracking report promotes efficiency in review of activities. The guidance may be contained in several multiple SAR filings. Nevertheless, there are still some policies and procedures; however, it may be advisable for SARs that the board of directors, or designated committee the financial institution to centrally manage the reporting of thereof, should review individually. Such “significant suspicious activities to ensure that transactions are being SARs” would include those that involve insiders reported, when appropriate. A single point of contact can (notwithstanding the guidance above regarding the also expedite law enforcement contacts and requests to handling of SARs involving board members and senior review specific SARs and their supporting documentation. management), suspicious activity above an internally determined dollar threshold, those involving significant As part of its BSA and anti-money laundering programs, check kiting activity, etc. Financial institutions are the financial institution’s policies should detail procedures encouraged to develop their own parameters for defining for complying with suspicious activity reporting “significant SARs” necessitating full reviews; such requirements. These procedures should define reportable guidance needs to be written and formalized within board suspicious activity. Financial institutions are encouraged approved BSA policies and procedures. to elaborate and clarify definitions using examples and discussion of the criminal violations. Parameters to filter Safe Harbor for Institutions on SAR Filings transactions and review for customer suspicious activity should also be established. Typically, the criteria will be A financial institution that files a SAR is accorded safe used to identify exceptions to expected customer and harbor from civil liability for filing reports of suspected or transaction activity patterns and identify high-risk known criminal violations and suspicious activities with customers, whose accounts and transactions should be appropriate authorities. Any financial institution that is subject to enhanced scrutiny. Procedures to facilitate subpoenaed or otherwise requested to disclose information accurate and timely filing of SARs, as well as to ensure contained in a SAR or the fact that a SAR was filed to proper maintenance of supporting documentation, should others shall decline to produce the SAR or provide any also be prescribed. Procedures to document decisions not information or statements that would disclose that a SAR to file a SAR should also be established. Reporting has been prepared or filed. This prohibition does not requirements, including reporting SAR filings to senior preclude disclosure of facts that are the basis of the SAR, management and institution directors should be defined. as long as the disclosure does not state or imply that a SAR Any additional actions, such as closer monitoring or has been filed on the underlying information. closing of an involved account(s) that the financial institution may wish to take should be defined in the Recently, the safe harbor protections were reiterated and policy. Many institutions are concerned about facilitating expanded. Section 351 of the USA PATRIOT Act, money laundering by continuing to process these amended Section 5318(g)(3) of 31 USC and included suspicious transactions. As there is no requirement to directors, officers, employees, and agents of the financial close an account, the institution should assess each

DSC Risk Management Manual of Examination Policies 8.1-47 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 situation and provide corresponding guidance on this area Nations and other international mandates. Sanctions can in its policy. If the financial institution does plan to close include one or more of the following: an account that is under investigation by law enforcement, then the institution should notify law enforcement of its • Blocking of assets, intent to close the account. • Trade embargoes, • Prohibition on unlicensed trade and/or financial SAR Database transactions, • Travel bans, and If examiners need specific SAR filing information, they • Other financial and commercial prohibitions. should contact their Regional SACM or other designees. These specially designated individuals have access to the A complete list of countries and other specially-designated FinCEN computer system and the database containing targets that are currently subject to U.S. sanctions and a records of SAR filings. The database contains information detailed description of each order can be found on the from SARs filed by all federally insured financial Treasury website. institutions. The database is maintained according to the numbered reporting fields in the SAR form, so information OFAC Applicability can be searched, for example, by suspect, type of violation, or location. OFAC regulations apply to all U.S. persons and entities, including financial institutions. As such, all U.S. financial Under current guidance, examiners should obtain a listing institutions, their branches and agencies, international or copies of the SARs filed in the current and previous two banking facilities, and domestic and overseas branches, years by a financial institution for pre-examination offices, and subsidiaries must comply with OFAC planning purposes. Additional searches may be requested sanctions. as needed, such as to identify whether a SAR has been filed for suspicious activity discovered during the examination, Blocking of Assets, Accounts, or to obtain information about additional SAR filings on a particular suspect or group of transactions. and Transactions

For additional guidance on obtaining SAR data, refer to the OFAC regulations require financial institutions to block detailed instructions provided within the “Currency and accounts and other assets and prohibit unlicensed trade and Banking Retrieval System” discussion within the financial transactions with specified countries. Assets and “Financial Crimes Enforcement Network Reporting and accounts must be blocked when that property is located in Recordkeeping Requirements” section of this chapter. the U.S., or is held by, possessed by, or under the control of U.S. persons or entities. The definition of assets and property can include anything of direct, indirect, present, future, and contingent value. Since this definition is so OFFICE OF FOREIGN ASSETS CONTROL broad, it can affect many types of products and services

provided by financial institutions. The Treasury’s Office of Foreign Assets Control administers laws that impose economic and trade sanctions OFAC regulations also direct that prohibited accounts of based on foreign policy and national security objectives. and transactions with SDNs and Blocked Persons need to Sanctions have been established against various entities be blocked or rejected. Generally, U.S. financial and individuals such as targeted foreign countries, institutions must block or freeze funds that are remitted by terrorists, international narcotics traffickers, and those or on behalf of a blocked individual or entity, are remitted engaging in activities relating to the proliferation of to or through a blocked entity, or are remitted in weapons of mass destruction. Collectively, such connection with a transaction in which a blocked entity has individuals and companies are called Specially Designated an interest. For example, a financial institution cannot Nationals (SDNs) and Blocked Persons. send a wire transfer to a blocked entity; once a payment

order has been received from a customer, those funds must OFAC acts under Presidential wartime and national be placed in an account on the blocked entity’s behalf. The emergency powers, in addition to authority granted by must be a commercially reasonable rate (i.e., at specific legislation. OFAC has powers to impose controls a rate currently offered to other depositors with similar on transactions and to freeze foreign assets under U.S. deposit size and terms). Customers cannot cancel or jurisdiction. Sanctions can be specific to the interests of amend payment orders on blocked funds after the U.S. the U.S.; however, many sanctions are based on United

Bank Secrecy Act (12-04) 8.1-48 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 financial institution has received the order or the funds in OFAC frequently publishes updates to its list of SDNs and question. Once these funds are blocked, they may be Blocked Persons. This list identifies individuals and released only by specific authorization from the Treasury. companies owned or controlled by, or acting for or on Full guidelines for releasing blocked funds are available on behalf of, targeted countries. It also includes those the OFAC website. Essentially, either the financial individuals, groups, and entities, such as terrorists and institution or customer files an application with OFAC to narcotics traffickers designated under programs that are not obtain a license or authorization to release the blocked country-specific. OFAC adds and removes names as funds. necessary and appropriate and posts those updates to its website. The Special Activities Section in Washington Rejected transactions are those that are to be stopped D.C. notifies FDIC-supervised institutions that updates to because the underlying action is prohibited and cannot be the SDN and Blocked Persons List are available through processed per the sanctions program. Rejected Financial Institution Letters. transactions are to be returned to the sending institution. Transactions include, but are not limited to, the following: Maintaining an updated SDN and Blocked Persons list is essential to an institution’s compliance with OFAC • Cash deposits; regulations. It is important to remember that outstanding • Personal, official, and traveler’s checks; sanctions can and do change and names of individuals and • Drafts; entities are added to the list frequently. Financial • Loans; institutions should establish procedures to ensure that its • Obligations; screening information is up-to-date to prevent accepting, • Letters of credit; processing, or facilitating illicit financial transactions and • Credit cards; the potential civil liability that may result. • Warehouse receipts; • Bills of sale; Financial Institution Responsibilities – OFAC • Evidences of title; Programs and Monitoring Systems • Negotiable instruments, such as money orders; • Trade acceptances; Financial institutions are subject to the prohibitions and • Wire transfers; reporting required by OFAC regulations; however, there • Contracts; are not any regulatory program requirements for • Trust assets; and compliance. Neither OFAC nor Federal financial • Investments. institution regulators have established laws or regulations dictating what banking records must be screened for matches to the OFAC list, or how frequently reviews OFAC Reporting Requirements should be performed. A violation of law occurs only when the institution conducts a blocked or rejected transaction, OFAC imposes reporting requirements for blocked regardless of whether the financial institution is aware of it. property and blocked or rejected transactions. OFAC does Additionally, institutions that fail to block and report a not take control of blocked or rejected funds, but it does transfer (which is subsequently blocked by another bank) require financial institutions to report all blocked property may be subject to adverse publicity, fines, and even to OFAC annually by September 30th. Additionally, criminal penalties. financial institutions must notify OFAC of blocked or rejected transactions within 10 days of their occurrence. OFAC has the authority to assess CMPs for any sanction violation, and these penalties can be severe. Over the past When an institution identifies an entity that is an exact several years, OFAC has had to impose millions of dollars match, or has many similarities to a subject listed on the in CMPs involving U.S. financial institutions. The SDN and Blocked Persons List, the institution should majority of these fines resulted from institution’s failure to contact OFAC Compliance at 1-800-540-6322 for block illicit transfers when there was a reference to a verification. Unless a transaction involves an exact match, targeted country or SDN. While the maximum penalties it is recommended that the institution contact OFAC are established by law, OFAC will consider the Federal Compliance before blocking assets. banking regulator’s most recent assessment of the financial institution’s OFAC compliance program as one of the Issuance of OFAC Lists mitigating factors for determining any penalty. In addition, OFAC can pursue criminal penalties if there is any evidence of criminal intent on the part of the financial

DSC Risk Management Manual of Examination Policies 8.1-49 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 institution or its employees. Criminal penalties provide for • Methods for conveying timely OFAC updates imprisonment up to 30 years and fines ranging up to $10 throughout the financial institution, including offshore million. locations and subsidiaries; • Procedures for handling and reporting prohibited Furthermore, financial institutions are not permitted to OFAC transactions; transfer responsibility for OFAC compliance to • Guidance for SAR filings on OFAC matches, if correspondent banks or a contracted third party, such as a appropriate, such as when criminal intent or terrorist data processing service provider. Each financial institution activity is involved; is responsible for every transaction occurring by or through • Internal review or audit of the OFAC processes in its systems. If a sanctioned transaction transverses several each affected department; and U.S. financial institutions, all of these institutions will be • Training for all appropriate employees, including subject to the same civil or criminal action, with the those in offshore locations and subsidiaries. exception of the financial institution that blocked or rejected the transaction, as appropriate. Departmental and product risk assessments are fundamental to a sound OFAC compliance program. Examination Considerations These assessments allow institution management to ensure appropriate focus on high-risk areas, such as correspondent Financial institutions should establish and maintain banking activities and electronic funds transfers. An effective OFAC programs and screening capabilities in effective program will filter as many transactions as order to facilitate safe and sound banking practices. It is possible through OFAC’s SDN and Blocked Persons List, not the examiner’s primary duty to identify unreported whether they are completed manually or through the use of accounts or transactions within an institution. Rather, a third party software program. However, when evaluating examination procedures should focus on evaluating the an institution’s compliance program, examiners should adequacy of an institution’s overall OFAC compliance consider matters such as the size and complexity of the program and procedures, including the systems and institution. Adequate compliance procedures can and controls in place to reasonably assure accounts and should be targeted to transactions that pose the greatest risk transactions are blocked and rejected. to an institution. Some transactions may be difficult to capture within a risk-focused compliance program. For In reviewing an institution’s OFAC compliance program, example, a customer could write a personal check to a examiners should evaluate the operational risks the blocked entity; however, the only way the financial financial institution is willing to accept and determine if institution that the check is drawn upon could block those this exposure is reasonable in comparison with the business funds would be if it reviewed the payee on each personal type, department or product, customer base, and cost of an check, assuming the information is provided and legible. effective screening program for that particular institution, Under current banking practices, this would be costly and based on its risk profile. time consuming. Most financial institutions do not have procedures for interdicting these transactions, and, yet, if The FDIC strongly recommends that each financial such a transaction were to be processed by a U.S. financial institution adopt a risk-focused, written OFAC program institution, it is a violation of OFAC regulations and could designed to ensure compliance with OFAC regulations. An result in CMPs against the bank. effective OFAC program should include the following: However, if a financial institution only screens its wire • Written policies and procedures for screening transfers through the OFAC SDN and Blocked Persons transactions and new customers to identify possible List and never screens its customer database, that is a much OFAC matches; higher and, likely, unacceptable risk for the financial • Qualified individual to monitor compliance and institution to assume in relation to the time and expense to oversee blocked funds; perform such a review. Particular risk areas that should be • OFAC risk-assessment for various products and screened by all financial institutions include: departments within the financial institution; • Guidelines and internal controls to ensure the periodic • Incoming and outgoing electronic transactions, such as screening of all existing customer accounts; ACH; • Procedures for obtaining and maintaining up-to-date • Funds transfers, including message or instruction OFAC lists of blocked countries, entities, and fields; individuals; • Monetary instrument sales; and

Bank Secrecy Act (12-04) 8.1-50 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Account beneficiaries, signors, powers of attorney, compliance program is considered inadequate, an apparent and beneficial owners. violation of Part 326.8(b)(1) of the FDIC’s Rules and Regulations should also be cited. As mentioned previously, account and transaction screening may be done manually, or by utilizing computer Example 1 software available from the Treasury website or other third party vendors. In fact, many institutions have outsourced An examiner is conducting a BSA review at Urania Bank, this function. If automated, OFAC offers the SDN list in a a $100 million dollar financial institution in El Paso, delimited file format file that can be imported into some Texas. The examiner identifies a systemic violation software programs. Commercial vendors also offer several because the financial institution has not filed CTRs on cash OFAC screening software packages with various purchases of monetary instruments. This is an apparent capabilities and costs. If an institution utilizes an violation of 31 CFR 103.22(b)(1). The examiner also automated system to screen accounts and transactions, identifies a complete failure to scrub the institution’s examiners should ensure that the institution’s policies and database against 314(a) Requests. This is an apparent procedures address the following: violation of 31 CFR 103.100(b)(2). In addition, the examiner identifies numerous incomplete CTRs in apparent • OFAC updates are timely; violation of 31 CFR 103.27(d). Because of the internal • OFAC verification can be and is completed in a control inadequacies, the examiner also cites an apparent reasonable time; violation of Section 326.8(c)(1). The examiner further • Screening is completed by all of bank departments and determines that the problems are sufficiently serious, related organizations; and warranting the citation of an apparent violation of Section • Process is reasonable in relation to the institution’s 326.8(b)(1) for failure to develop and provide for an risk profile. adequate BSA program. After doing additional research, the examiner determines that an apparent violation of Wholly-owned securities and insurance subsidiaries of Section 326.8(c)(2) should also be cited for inadequate financial institutions must also adopt an OFAC compliance independent testing that should have identified the ongoing program tailored to meet industry specific needs. The weaknesses found by the examiner. Furthermore, the OFAC website provides additional reference material to examiner decides that an apparent violation of Section these industries concerning compliance program content 326.8(c)(4) should be cited for inadequate training. and procedures. Employees are given cursory BSA training each year; however, no training exists for appropriate identification of OFAC maintains current information and FAQs on its cash activity and adequate CTR filings. The examiner also website. For any questions, OFAC encourages financial determines that an apparent violation of Section institutions to contact its Compliance Hotline at 800-540- 326.8(c)(3) is appropriate because the BSA officer at 6322 (7:30am-6:00pm, weekdays). Urania Bank comes in only two days per week. This is clearly inadequate for a financial institution of this size and complexity, as exhibited by the systemic BSA problems. EXAMPLES OF PROPER CITATION OF In addition to fully addressing these deficiencies in the Violations and Risk Management sections of the Report of APPARENT VIOLATIONS OF Examination, the Examiner-In-Charge fully details the BSA-RELATED REGULATIONS IN THE findings, weaknesses, and management responses on the REPORT OF EXAMINATION Examiner Comments and Conclusions pages.

The situations depicted in the examples below are intended Example 2 to provide further clarification on when and how to cite apparent violations of the BSA and implementing Examiners at Delirium Thrift, a $500 million financial regulations, within the context of findings that are typical institution in Southern California, begin the BSA review by for BSA reviews conducted during regular Safety & requesting the wire transfer log for incoming and outgoing Soundness examinations. As is often the case, deficiencies transactions. Information being obtained by the institution identified within an institution’s BSA compliance policies for the outgoing wire transfers is identified as inadequate. and procedures may lead to the citation of one or more Consequently, the examiners cite an apparent violation of apparent violations. The identification of numerous and/or 31 CFR 103.33(g)(1). Additional research reveals that severe deficiencies may indicate an ineffective and deficiencies in the wire log information are attributed to inadequate program. When an institution’s BSA several branch locations that are failing to provide

DSC Risk Management Manual of Examination Policies 8.1-51 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 sufficient information to the wire transfer department. and report suspicious activities and, therefore, cites an Because the deficiencies are isolated to transactions apparent violation of Section 326.8(b)(1). originating in a few locations, examiners determine that the deficiencies are not systemic and the overall program The examples below provide examiner guidance for remains effective. However, because it is evident in preparing written comments for apparent violations of the interviews with several branch employees that their BSA and implementing regulations. In general, write-ups training in this area has been lacking, examiners also cite should fully detail the nature and severity of the an apparent violation of Section 326.8(c)(4) and request infraction(s). These comments intentionally omit the that the institution implement a comprehensive training management responses that should accompany all apparent program that encompasses all of its service locations. violation write-ups.

Example 3 Part 326.8(b)(1) of the FDIC Rules and Regulations

Examiners at the independent BSA examination of Part 326.8(b)(1) requires each bank to “develop and Bullwinkle Bank and Trust, Moose-Bow, Iowa, a $30 provide for the continued administration of a program million financial institution, were provided no written BSA reasonably designed to assure and monitor compliance policies after several requests. However, actual internal with recordkeeping and reporting requirements” of the practices for BSA compliance were found to be fully Bank Secrecy Act, or 31 CFR 103. The regulation further satisfactory for the size and BSA risk-level of the financial states that “the compliance program shall be written, institution. Given the low risk profile of the institution, approved by the bank’s board of directors, and noted in the including a nominal volume of reportable transactions minutes.” being processed by the institution, the BSA/AML procedures in place are sufficient for the institution. The Board and the senior management team have not Therefore, examiners cite only an apparent violation of adequately established and maintained appropriate Section 326.8(b)(1) for failure to develop an adequate procedures reasonably designed to assure and monitor the written BSA compliance program that is approved by the financial institution’s compliance with the requirements of financial institution’s board of directors. the BSA and related regulations. This assessment is evidenced by the weak internal controls, policies, and Example 4 procedures as identified at this examination. Furthermore, the Board and senior management team have not made a Appropriately following pre-examination scoping reasonable effort to assure and monitor compliance with requirements, examiners obtain information from their recordkeeping and reporting requirements of the BSA. As Regional SACM or other designees on previous SAR a result, apparent violations of other sections of Part 326.8 filings relating to money laundering. Upon arrival at of the FDIC Rules and Regulations and 31 CFR 103 of the Mission Achievement Bank, Agana, Guam, a $250 million U.S. Treasury Recordkeeping Regulations have been cited. financial institution with overseas branches, examiners determine that several of the accounts upon which money Part 326.8(b)(2) of the FDIC Rules and Regulations laundering SARs had been previously filed are still open and evidencing ongoing money laundering activity. Part 326.8(b)(2) states that each bank must have a However, the financial institution has failed to file customer identification program to be implemented as part subsequent SARs on this continued activity in these of the BSA compliance program. accounts and/or the parties involved. Consequently, the examiner appropriately cites apparent violations of Section Management has not provided for an adequate customer 353.3(a) of the FDIC Rules and Regulations for failure to identification program. Current policy requirements do not file SARs on this ongoing activity. Further analysis meet the minimum provisions for a customer identification identifies that the failure to appropriately monitor for program, as detailed in 31 CFR 103. Current policies and suspicious or unusual transactions in its high-risk accounts practices require no documentation for new account and subsequently file SARs is a systemic problem at the openings on the Internet with the exception of a financial institution. Because of the institution-wide “verification e-mail” sent out confirming that the signer problem, the examiner cites an apparent violation of wants to open the account. Signature cards are mailed off- Section 326.8(c)(1) for inadequate internal controls. site to the Internet customer, who signs them and mails Furthermore, after consultation with the Regional SACM, them back without any evidence of third-party verification, the examiner concludes that the institution’s overall BSA such as notary seal. Based on the risk of these types of program is inadequate because of the failures to identify accounts, this methodology for verification is clearly

Bank Secrecy Act (12-04) 8.1-52 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 inadequate to meet regulatory requirements and sound customer due diligence. Part 326.8(c)(3) states that the compliance program shall designate an individual or individuals responsible for Part 326.8(c)(1) of the FDIC Rules and Regulations coordinating and monitoring day-to-day compliance.

Part 326.8(c)(1) states, in part, that the compliance The board of directors has named Head Teller Ben Bison program shall, at a minimum, provide for a system of as the BSA officer. While Mr. Bison has a basic internal controls to assure ongoing compliance. understanding of CTR filing, he does not have any training on detecting and reporting suspicious activity. Management has not provided for an adequate system of Furthermore, Ben Bison does not have policy-making internal controls to assure ongoing compliance. Examiners authority over the BSA function. Management needs to identified the following internal control deficiencies: appoint someone with policy-making authority as the institution’s BSA Officer. • Incomplete BSA and AML policies for a bank with a high-risk profile. Part 326.8(c)(4) of the FDIC Rules and Regulations • Insufficient identification systems for CTR reporting. • Late CTR filings. Part 326.8(c)(4) states that the compliance program shall • Insufficient reporting mechanisms for identification of provide training for appropriate personnel. structured transactions and other suspicious activity. • Weak oversight over high-risk customers. Example 1: • Insufficient customer identification program and customer due diligence. While BSA training programs are adequate, management has trained less than half of the appropriate operational Due to the financial institution’s high-risk profile, personnel during the last calendar year. Management must management should go beyond minimum CIP requirements ensure that all appropriate personnel, including the board and do a sufficient level of due diligence that provides for of directors and officers, receive adequate BSA training a a satisfactory evaluation of the customer. Management minimum of once per year and ongoing for those whose must provide for adequate reporting mechanisms to duties require constant awareness of the BSA requirements. identify large cash transactions as well as suspicious activity. Timely completion and review of appropriate Example 2: reports, in conjunction with a sufficient level of due diligence, should allow for the accurate and timely BSA training needs improvement. While regular BSA reporting of CTRs and SARs. training sessions are developed and conducted for branch operations personnel, the training programs do not address Part 326.8(c)(2) of the FDIC Rules and Regulations internal BSA policies and, more importantly, BSA and anti-money laundering regulations. Management must Part 326.8(c)(2) states that the compliance program shall ensure that comprehensive BSA training is provided to all provide for independent testing for compliance to be directors, officers, and appropriate operational personnel. conducted by an outside party or bank personnel who have Training should be provided at least annually, and must be no BSA responsibility or oversight. ongoing for those whose duties require constant awareness of BSA requirements. The training must be commensurate The financial institution’s BSA policies provide for with the institution’s BSA risk-profile and provide specific independent testing. However, the financial institution has employee guidance on detecting unusual or suspicious not received an independent review for over three years. transactions beyond the detection of cash structuring An annual review of the BSA program should be transactions. completed by a qualified independent party. This review should incorporate all of the high-risk areas of the Part 353.3 of the FDIC Rules and Regulations and 31 institution, including cash-intensive accounts and C.F.R. 103.18 transactions, sales and purchases of monetary instruments; customer exemption list; electronic funds transfer Part 353.3(a) and 31 C.F.R. 103.18 state, in part, that activities, and compliance with customer identification Suspicious Activity Reports (SARs) should be filed when: procedures. • Insider abuse is involved in any amount; Part 326.8(c)(3) of the FDIC Rules and Regulations

DSC Risk Management Manual of Examination Policies 8.1-53 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 • Transactions aggregating $5,000 or more when the from February through May of 20XX were filed between suspect can be identified; 65 days and 82 days of the initial detection of the activity. • Transactions aggregating $25,000 or more when the Management must ensure that suspicious activity reports suspect can not be identified; and are not only identified, but also filed in a timely manner. • Transactions aggregating $5,000 or more that involve money laundering or violations of the BSA… if the Part 353.3(f) of the FDIC Rules and Regulations bank knows, suspects, or has reason to suspect that: o The transaction involves funds derived from Part 353.3(f) of the FDIC Rules and Regulations states that illegal activities, bank management must promptly notify its board of o The transaction is designed to evade BSA directors, or a committee thereof, of any report filed reporting requirements, or pursuant to Part 353 (Suspicious Activity Reports). o The transaction has no business or apparent lawful purpose or is not the sort of Management has not properly informed the board of transaction in which the particular customer directors of SARs filed to report suspicious activities. The would normally be expected to engage, and management team has provided the board with erroneous the bank knows of no reasonable explanation reports showing that the bank has filed SARs, when, in for the transaction after examining the fact, the management team never did file such SARs. available facts, including the background and Board and committee minutes clearly indicate a reliance on possible purpose of the transaction. these reports as accurate.

Management failed to file SARs on several different 31 C.F.R. 103.22(c)(2) deposit account customers, all of which appeared to be structuring cash deposits to avoid the filing of CTRs. This section of the Financial Recordkeeping Regulations These transactions all appeared on large cash transaction requires the bank to treat multiple transactions totaling reports reviewed by management; however, no one in the over $10,000 as a single transaction. institution researched the transactions or filed SARs on the incidents. Management must file SARs on the following Management’s large cash aggregation reports include only customer transactions and appropriately review suspicious those cash transactions above $9,000. Because of this activity and file necessary SARs going forward. weakness in the reporting system’s set-up, the report failed to pick up transactions below $9,000 from multiple Account Number Dates Total Cash Deposited accounts with one owner. The following transactions were 123333 02/20/xx-02/28/xx $50,000 identified which should have been aggregated and a CTR 134445 03/02/xx-03/15/xx $32,300 filed. Management needs to alter or improve their system 448832 01/05/xx-03/10/xx $163,500 in order to identify such transactions. 878877 03/10/xx-03/27/xx $201,000 Customer Name Date Amount Part 353.3(b) of the FDIC Rules and Regulations and Account # 31 C.F.R. 103.18(b)(3) Mini Meat Market 122222222 12/12/xx $8,000 Part 353.3(b) of the FDIC Rules and Regulations and 31 122233333 12/12/xx $4,000 C.F.R. 103.18(b)(3) state that a bank shall file a suspicious activity report (SAR) no later than 30 calendar days after 122222222 12/16/xx $6,000 the date of initial detection of facts that may constitute a 122233333 12/16/xx $5,000 basis for filing a SAR. In no case shall reporting be delayed more than 60 calendar days after the date of initial Claire’s Club Sandwiches detection. a/k/a Claire’s Catering 15555555 12/22/xx $4,000 Management and the board have failed to file several 17777777 12/22/xx $7,000 hundred SARs within 30 calendar days of the initial 17777788 12/22/xx $3,000 detection of the suspicious activity. The BSA officer failed to file any SARs for the time period of June through 31 C.F.R. 103.22(d)(6)(i) August 20XX. This information was verified through use of the FinCEN database, which showed than no SARs had This section of the Financial Recordkeeping regulation been filed during that time period. In addition, SARs filed states that a bank must document monitoring of exempt

Bank Secrecy Act (12-04) 8.1-54 DSC Risk Management Manual of Examination Policies Federal Deposit Insurance Corporation BANK SECRECY ACT, ANTI-MONEY LAUNDERING, AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1 person transactions. Management must review exempt identification number or number and country of issuance of accounts at least one time per year and must document any government-issued documentation. appropriate monitoring and review of each exempt account. The financial institution’s policies and programs require that all employees obtain minimum customer identification Management has exempted three customers, but has failed information; however, accounts in the Vermont Street to document monitoring of their accounts. Management Branch have not been following minimum account opening has stated that they did monitor the account transactions standards. Over half of the accounts opened at the and no suspicious activity appears evident; however, Vermont Street Branch since October 1, 2003, when this management must retain appropriate documentation for all regulation came into effect, have been opened without tax account monitoring of exempt customers. Such monitoring identification numbers or similar personal identification documentation could include, but is not limited to: number for non-U.S. citizens. Management must ensure that BSA policies and regulations are followed throughout • Reviews of exempt customers cash transactions, the institution and verify through BSA officer reviews and • Review of monthly statements and monthly activity, independent reviews that requirements are being met. • Interview notes with account owners or visitation notes from reviewing the place of business, • Documenting changes of ownership, or WEB-SITE REFERENCES • Documenting changes in amount, timing, or type of transaction activity. Financial Crimes Enforcement Network (FinCEN): www.fincen.gov 31 C.F.R. 103.27(a) FinCEN Money Services Businesses: This section of the Financial Recordkeeping regulation www.msb.gov requires the financial institution to retain all Currency Transaction Reports for five years. Financial Action Task Force: www..org/fatf Management failed to keep copies of all of the CTRs filed during the past five years. Management can locate CTRs Office of Foreign Assets Control: filed for the past two years but has not consistently retained www.ustreas.gov/offices/eotffc/ofac CTR copies for the three years preceding. Management needs to make sure that its record-keeping systems allow for the retention and retrieval of all CTRs filed for the previous five year time period.

31 C.F.R. 103.27(d)

This section of the Financial Recordkeeping regulation requires the financial institution to include all appropriate information required in the CTR.

Management has consistently failed to obtain information on the individual conducting the transaction unless that person is also the account owner. This information is required in the CTR and must be completed. Since this is a systemic failure, management needs to ensure proper training is provided to tellers and other key employees to ensure that this problem is corrected.

31 C.F.R. 103.121(b)(2)(i)(A)(4)(ii)

This section of the Financial Recordkeeping regulation states that the financial institution must obtain a tax

DSC Risk Management Manual of Examination Policies 8.1-55 Bank Secrecy Act (12-04) Federal Deposit Insurance Corporation